Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2021.1

Logging is essential for debugging, incident response, and collecting forensic evidence. Nevertheless, logging sensitive data raises many concerns, including the privacy of the stakeholders, limitations imposed by the law on the collection of personal information, and the potential for data exposure by insiders. Sensitive information includes, but is not limited to, IP addresses, user names and passwords, email addresses, credit card numbers, and any personally identifiable information such as social security numbers. Many countries prohibit or restrict collection of personal data; others permit retention of personal data only when held in an anonymized form. For example, leaking unencrypted credit card numbers into a log file could be a violation of PCI DSS (Payment Card Industry Data Security Standard) regulations [PCI 2010]. Consequently, logs must not contain sensitive data, particularly when prohibited by law.

...

Programs typically support varying levels of protection. Some information, such as access times, can be safely logged. Some information can be logged, but the log file must be restricted from everyone but particular administrators. Other information, such as credit card numbers, can be included in logs only in encrypted form. Information , such as passwords , should not be logged at all.

...

When the log cannot contain IP addresses, it should not contain any information about a SecurityException, because it might leak an IP address. When an exception contains sensitive information, the custom MyExceptionReporter class should extract or cleanse it before returning control to the next statement in the catch block (see rule ERR00-J. Do not suppress or ignore checked exceptions).

Code Block
bgColor#FFcccc

public void logRemoteIPAddress(String name) {
  Logger logger = Logger.getLogger("com.organization.Log");
  InetAddress machine = null;
  try {
    machine = InetAddress.getByName(name);
  } catch (UnknownHostException e) {
    Exception e = MyExceptionReporter.handle(e);
  } catch (SecurityException e) {
    Exception e = MyExceptionReporter.handle(e);
    logger.severe(name + "," + machine.getHostAddress() + "," +
                  e.toString());
  }
}

...

This compliant solution does not log security exceptions except for the logging implicitly performed by MyExceptionReporter.:

Code Block
bgColor#ccccff

  // ...
  catch (SecurityException e) {
    Exception e = MyExceptionReporter.handle(e);
  }

...

Log messages with sensitive information should not be printed to the console display for security reasons (a possible example of sensitive information is passenger age). The java.util.logging.Logger class supports different logging levels that can be used for classifying such information. These are : FINEST, FINER, FINE, CONFIG, INFO, WARNING, and SEVERE. By default, the INFO, WARNING, and SEVERE levels print the message to the console, which is accessible by end users and system administrators.

If we assume that the passenger age can appear in log files on the current system but not on the console display, this code example is noncompliant.

Code Block
bgColor#FFcccc

logger.info("Age: " + passengerAge);

...

This compliant solution logs the passenger age at the FINEST level to prevent this information from displaying on the console. As noted previously, we are assuming the age may appear in system log files but not on the console.

Code Block
bgColor#ccccff

// makeMake sure that all handlers only print log messages rated INFO or higher
Handler handlers[] = logger.getHandlers();
for (int i = 0; i < handlers.length; i++) {
  handlers[i].setLevel(Level.INFO);
}
// ...
logger.finest("Age: " + passengerAge);

...

Logging sensitive information can violate system security policies and can violate user privacy when the logging level is incorrect or when the log files are insecure.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO13-J

medium

Medium

probable

Probable

high

High

P4

L3

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.FIO13.SENS
CERT.FIO13.LHII
CERT.FIO13.PEO
CERT.FIO13.CONSEN
Prevent exposure of sensitive data
Avoid logging sensitive Hibernate-related information at the 'info' level in 'log4j.properties' files
Do not pass exception messages into output in order to prevent the application from leaking sensitive information
Do not log confidential or sensitive information

Related Guidelines

MITRE CWE

CWE-

532. Information exposure through log files  

359, Privacy Violation
CWE-532, Information Exposure through Log Files
CWE-533

.

, Information

exposure through server log files

 

CWE-359. Privacy violation

 

CWE-542. Information exposure through cleanup log files

Bibliography

Exposure through Server Log Files
CWE-542, Information Exposure through Cleanup Log Files

Android Implementation Details

DRD04-J. Do not log sensitive information is an Android-specific instance of this rule.

Bibliography

[API 2014]

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8473471b-f937-4792-9b44-4046f2b67df8"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

Class java.util.logging.Logger

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="146859af-68f4-4893-a8cd-a0693a1a8d9c"><ac:plain-text-body><![CDATA[

[

[Chess 2007

AA. Bibliography#Chess 07

]

]

Section 11.1, "Privacy and Regulation: Handling Private Information

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup

"

ac:schema-version="1" ac:macro-id="dacc67b8-f9c3-4642-ab5c-6b06bafc2b2c"><ac:plain-text-body><![CDATA[

[

[

CVE 2011

AA. Bibliography#CVE 08]

]

[

CVE-2005-2990

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2990]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="df87a9f6-1d56-4982-9c0f-6251ce322a55"><ac:plain-text-body><![CDATA[

[[Sun 2006

AA. Bibliography#Sun 06]]

[Java Logging Overview

http://java.sun.com/javase/6/docs/technotes/guides/logging/overview.html]

]]></ac:plain-text-body></ac:structured-macro>

[PCI DSS Standard]

Payment Card Industry (PCI) Data Security Standard

[Sun 2006]

Java Logging Overview


...

Image Added Image Added Image Removed      12. Input Output (FIO)