If an exception is thrown while logging is in progress, data may not be logged unless special care is taken. This can result in a multitude of vulnerabilities, such as denial of service or vulnerabilities that allow the attacker to conceal critical security exceptions by preventing them from being logged.
Noncompliant Code Example
This noncompliant code example uses statements that can throw exceptions when logging is in process. It attempts to log a SecurityException generated within the run() method, however, the original log message is not logged if an exception is thrown during the logging process. An exception is thrown if there is a problem with the application's file system or if a thread attempts to write to the log file when the file is locked by another thread. An attacker can exploit these problems by:
...
| Code Block | ||
|---|---|---|
| ||
public class ExceptionLog implements Runnable {
public void logMessage(String message) {
FileOutputStream fo = null;
FileLock lock = null;
try {
// This can throw an exception and prevent logging.
fo = new FileOutputStream("log_file.txt", true);
// Lock the file so only one thread can write a log message at a time.
lock = fo.getChannel().lock();
// Output the log message.
System.err.println(message);
fo.write((message + "\n").getBytes());
}
// If an exception is caught, the original message to log is lost
catch (FileNotFoundException e){
logMessage("File Not Found Exception.");
}
catch(IOException e) {
logMessage("IO Exception.");
}
catch (OverlappingFileLockException e) {
logMessage("Cannot access file.");
}
finally {
// Clean up by releasing the file lock and closing the file.
try {
if (lock != null) {
lock.release();
}
if (fo != null) {
fo.close();
}
} catch (IOException e) {
// This is unexpected.
throw new RuntimeException(e);
}
}
}
public void run() {
try {
// Some security exception occurs here.
} catch(SecurityException se) {
logMessage("Security Exception has occurred!");
}
}
public static void main(String[] args) {
// Start multiple threads logging messages.
for (int x=1; x<=20; x++) {
(new Thread(new ExceptionLog())).start();
}
}
}
|
Compliant Solution
This compliant solution executes several statements that can possibly throw exceptions prior to performing any security critical operations and uses the thread and exception safe Java Logger class to implement logging (see EXC03-J. Use a logging API to log critical security exceptions for more information on the use of logging libraries). As a result, exceptions do not result in failure to log a message or a different message than intended being logged. While this is a stringent requirement, it is necessary in cases where an exception can be deliberately thrown to conceal an attacker's tracks. The logging mechanism must be robust and should be able to detect and handle all such cases.
...
While in this compliant solution an IOException is still possible, there is little that can be done when writing the data to the log file if the existence of the file itself is under question.
Risk Assessment
If an exception is thrown while data is being logged then data may be lost or problems may be concealed.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXC02- J | medium | likely | high | P6 | L2 |
Automated Detection
TODO
Related Vulnerabilities
References
| Wiki Markup |
|---|
\[[API 06|AA. Java References#API 06]\] [Class Logger|http://java.sun.com/javase/6/docs/api/java/util/logging/Logger.html] \[[JLS 05|AA. Java References#JLS 05]\] [Chapter 11, Exceptions|http://java.sun.com/docs/books/jls/third_edition/html/exceptions.html] |
...