SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 98

changes.mady.by.user Will Snavely

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2021.1

...

Logging sensitive information can violate system security policies and can violate user privacy when the logging level is incorrect or when the log files are insecure.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO13-J

Medium

Probable

High

P4

L3

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
java:
Parasoft_V
java:
Parasoft_V
BD
CERT.
SECURITY
FIO13.SENS
, HIBERNATE

CERT.FIO13.LHII
, SECURITY

CERT.
ESD
FIO13.PEO
, SECURITY

CERT.
ESD
FIO13.CONSEN
Implemented
Prevent exposure of sensitive data
Avoid logging sensitive Hibernate-related information at the 'info' level in 'log4j.properties' files
Do not pass exception messages into output in order to prevent the application from leaking sensitive information
Do not log confidential or sensitive information

Related Guidelines

MITRE CWE

CWE-359, Privacy Violation
CWE-532, Information Exposure through Log Files
CWE-533, Information Exposure through Server Log Files
CWE-542, Information Exposure through Cleanup Log Files

Android Implementation Details

DRD04-J. Do not log sensitive information is an Android-specific instance of this rule.

Bibliography

[API 2014]

Class java.util.logging.Logger

[Chess 2007]

Section 11.1, "Privacy and Regulation: Handling Private Information"

[CVE 2011]

CVE-2005-2990

[PCI DSS Standard]

Payment Card Industry (PCI) Data Security Standard

[Sun 2006]

Java Logging Overview

...


...