Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If an exception is Exceptions that are thrown while logging is in progress , data may not be logged can prevent successful logging unless special care is taken. This can lead to a multitude of Failure to account for exceptions during the logging process can cause security vulnerabilities, such as denial of service or vulnerabilities that allow the allowing an attacker to conceal critical security exceptions by preventing them from being logged. Consequently, programs must ensure that data logging continues to operate correctly even when exceptions are thrown during the logging process.

Noncompliant Code Example

This noncompliant code example errs by using statements that can throw exceptions when logging is in process. It attempts to log a security exception generated within main, however, it will end up logging no messages if a careless administrator renamed the log file or a crafty attacker caused the logging mechanism to fail through network tampering. While this code is slightly convoluted, it is easy to fall prey to similar mistakes that can result in an important security exception not being logged properly. writes a critical security exception to the standard error stream:

Code Block
bgColor#FFcccc

public class ExceptionLog {

    private String logMessage;

    public static void main(String[] args) {
        ExceptionLog log = new ExceptionLog();
        //some security exception occurs here
        log.logMessage("Security Exception has occurred!");
        log.writeLog(); 
    }
    
    public void logMessage(String message) {
        logMessage = message;
    }
    
    public void writeLog() {
        try {
            FileWriter fw = new FileWriter("log_file.txt", true);  //this can throw an exception and prevent logging 
            BufferedWriter br = new BufferedWriter(fw);
            br.write(logMessage + "\n");
            br.close();
        try {
  // ...
} catch (FileNotFoundExceptionSecurityException fnf){ logMessage("File Not Found Exception!"); }
        catch(IOException ie) { logMessage("IO Exception!"); }          
        se) {
  System.err.println(logMessagese);    
        //misses writingRecover thefrom original security exception to log file, as logMessage has changed
    }
}

Compliant Solution

This compliant solution executes several statements that can possibly throw exceptions prior to performing any security critical operations and allows writeLog() to throw an exception back to the caller in the event of a problem writing to the log file. As a result, exceptions do not result in the silent failure to log a message or a different message than intended being logged. While this is a stringent requirement, it is necessary in cases where an exception can be deliberately thrown to conceal an attacker's tracks. The logging mechanism must be robust and should be able to detect and handle such phenomena.

Code Block
bgColor#ccccff

public class ExceptionLog {
    
    private static String logMessage;
    
    public static void main(String[] args) {
        ExceptionLog log = new ExceptionLog();
        FileWriter fw=null;
        BufferedWriter bw=null;
        try {
            fw = new FileWriter("log_file.txt", true);  //this can throw an exception, but the logging of messages is not silently prevented.
            bw = new BufferedWriter(fw);
        }
        catch (IOException e) { 
            // The logging example cannot recover from failure to open
            // the log file.
            throw new RuntimeException(e);
        }
        
        //some security exception occurs here
        try {
            log.logMessage("Security Exception has occurred!");
            log.writeLog(bw);
        }
        catch (IOException e) {
            // Logging of the security exception does not silently fail.
            System.err.println("Logging error failed.");
        }
        
        try {
            bw.close();
        }
        catch (IOException e) {
            System.err.println("Closing log file failed.");
        }
    }
    
    public static void logMessage(String message) {
        logMessage = message;
    }
    
    public void writeLog(BufferedWriter bw) throws IOException {
        bw.write(logMessage + "\n");
        System.err.println(logMessage);    
    }
}

A slightly more expensive alternative is to support recursive logging.

Note that this recommendation does not prevent a program from reopening a closed log file after it realizes that important data must be captured. While an IOException is possible, there is little that can be done when writing the data to the log file is itself under question.

Risk Assessment

Writing such exceptions to the standard error stream is inadequate for logging purposes. First, the standard error stream may be exhausted or closed, preventing recording of subsequent exceptions. Second, the trust level of the standard error stream may be insufficient for recording certain security-critical exceptions or errors without leaking sensitive information. If an I/O error were to occur while writing the security exception, the catch block would throw an IOException and the critical security exception would be lost. Finally, an attacker may disguise the exception so that it occurs with several other innocuous exceptions.

Using Console.printf(), System.out.print*(), or Throwable.printStackTrace() to output a security exception also constitutes a violation of this rule.

Compliant Solution

This compliant solution uses java.util.logging.Logger, the default logging API provided by JDK 1.4 and later. Use of other compliant logging mechanisms, such as log4j, is also permitted.

Code Block
bgColor#ccccff
try {
  // ...
} catch(SecurityException se) {
  logger.log(Level.SEVERE, se);
  // Recover from exception
}

Typically, only one logger is required for the entire program.

Risk Assessment

Exceptions thrown during data logging can cause loss of data and can conceal security problemsIf an exception is thrown while data is being logged then data may be lost or problems may be concealed.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXC02

ERR02-J

medium

Medium

likely

Likely

high

High

P6

L2

Automated Detection

...

ToolVersionChecker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.DEBUG.LOG

Debug Warning (Java)

SonarQube
Include Page
SonarQube_V
SonarQube_V
S106Standard outputs should not be used directly to log anything


Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [Class Logger|http://java.sun.com/javase/6/docs/api/java/util/logging/Logger.html]
\[[JLS 05|AA. Java References#JLS 05]\] [Chapter 11, Exceptions|http://java.sun.com/docs/books/jls/third_edition/html/exceptions.html]

HARMONY-5981 describes a vulnerability in the HARMONY implementation of Java. In this implementation, the FileHandler class can receive log messages, but if one thread closes the associated file, a second thread will throw an exception when it tries to log a message.

Bibliography


...

Image Added Image Added Image AddedEXC01-J. Do not allow exceptions to transmit sensitive information      11. Exceptional Behavior (EXC)      EXC03-J. Try to recover gracefully from system errors