Logging is essential for gathering debugging information, carrying out incident response or forensics activities and for maintaining incriminating evidence. However, sensitive data should not be logged for many reasons. Privacy of the stakeholders, limitations imposed by the law on collection of personal information, and data exposure through insiders are a few concerns. Sensitive information includes and is not limited to IP addresses, user names and passwords, email addresses, credit card numbers and any personally identifiable information such as social security numbers. In JDK v1.4 and above, the java.util.logging class provides the basic logging framework.
| Wiki Markup |
|---|
While we expect several instances of this anti-pattern can be found in the wild, one example is of the fix provided in the LineControl Java client. Prior to version 0.8.1, the client logged sensitive information such as the local user's password. \[[CVE 08|AA. Java References#CVE 08]\] |
...
If the exception contains such information, the custom MyExceptionReporter class should extract or cleanse it, before returning control to the catch block. (EXC05-J. Use a class dedicated to reporting exceptions)
Noncompliant Code Example
...
As a first step, a filter can be applied to the input to prevent inadvertent logging of sensitive data. In this compliant solution, a check is built in so that a string of digits from the SSN field that lies above say the occupation field, does not accidentally show up in the log files.
...
NOTE: A log entry should also contain other parameters such as date, time, source event and so on. Some of these parameters have been omitted from this example for the sake of brevity.
Risk Assessment
Logging sensitive information can break the security of the system and violate user privacy when the logging level is incorrect or when the files are not secured properly.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FIO30- J | medium | probable | high | P4 | L3 |
...