You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 44 Next »

Logging is essential for debugging, incident response, or collecting forensic evidence. Nevertheless, logging sensitive data raises many concerns, including the privacy of the stakeholders, limitations imposed by the law on the collection of personal information, and the potential for data exposure by insiders. Sensitive information includes, but is not limited to, IP addresses, user names and passwords, email addresses, credit card numbers and any personally identifiable information such as social security numbers. Many countries prohibit or restrict collection of personal data; others permit retention of personal data only when held in an anonymized form. Consequently, logs must not contain sensitive data, particularly when prohibited by law.

Unfortunately, violations of this rule are common. For example, prior to version 0.8.1, LineControl Java client logged sensitive information including the local user's password [[CVE 2008]].

The java.util.logging class provides the basic logging framework in JDK v1.4 and above; the examples below use the logging framework. The basic principles apply regardless of the particular logging framework chosen.

A program may support multiple levels of sensitivity. Some information, such as access times can be safely logged. Some infomration can be logged, but the log file must be restricted from everyone but particular administrators. Other information, such as credit card numbers can only be logged in encrypted form. Other information, such as passwords, should not be logged at all.

For these code samples, we will assume that the log in question lies outside the trust boundary of the information being sent to it. Also, normal log messages should include additional parameters such as date, time, source event, etc.. We omit them in these examples for the sake of brevity.

Noncompliant Code Example

In this noncompliant code example, a server logs the IP address of the remote client in the event of a security exception. Such data can be misused in various ways, such as building a profile of a user's browsing habits. Such logging may violate legal restrictions in many countries.

If the log cannot be trusted to hold the IP address, it should not hold any info about a SecurityException. When an exception contains sensitive information, the custom MyExceptionReporter class should extract or cleanse it, before returning control to the next statement in the catch block. (See rule ERR00-J. Do not suppress or ignore checked exceptions.)

public void logRemoteIPAddress(String name) {
  Logger logger = Logger.getLogger("com.organization.Log");
  InetAddress machine = null;
  try {
    machine = InetAddress.getByName(name);
  } catch (UnknownHostException e) { 
    Exception e = MyExceptionReporter.handle(e);
  } catch (SecurityException e) {
    Exception e = MyExceptionReporter.handle(e);
    logger.severe(name + "," + machine.getHostAddress() + "," + e.toString());
  }
} 

Compliant Solution

This compliant solution simply does not log the security exception.

   // ...
  catch (SecurityException e) {
    Exception e = MyExceptionReporter.handle(e);
  }

Noncompliant Code Example

Some information that is logged should be elided from console display for security reasons (a possible example might be passenger age). The java.util.logging.Logger class supports different logging levels that can be used for classifying such information. These are FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE. All levels after and including INFO, log the message to the console in addition to an external source.

logger.info("Age: " + passengerAge);

By default, log messages with level INFO are displayed to the console.

Compliant Solution

This noncompliant code example logs at a level below INFOFINEST, in this case — to prevent the passenger age from being displayed on the console. It also makes sure that such messages do not appear on the console. Thus the age is not actually logged.

Handler handlers[] = logger.getHandlers();
for (int i = 0; i < handlers.length; i++) {
  handlers[i].setLevel(Level.INFO);
}
// ...
logger.finest("Age: " + passengerAge);

Risk Assessment

Logging sensitive information can violate system security policies and can violate user privacy when the logging level is incorrect or when the log files are insecure.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO08-J

medium

probable

high

P4

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="71f3e1a2-ac24-462f-a350-f63586ad1d45"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE ID 532

http://cwe.mitre.org/data/definitions/532.html] "Information Exposure Through Log Files"

]]></ac:plain-text-body></ac:structured-macro>

 

CWE ID 533 "Information Exposure Through Server Log Files"

 

CWE ID 359 "Privacy Violation"

 

CWE ID 542 "Information Exposure Through Cleanup Log Files"

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3147c12f-005d-4e2c-96f2-762b7f80e6f2"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]]

Class java.util.logging.Logger

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0a7407d8-60d1-4b04-b694-93410fcd4d17"><ac:plain-text-body><![CDATA[

[[Chess 2007

AA. Bibliography#Chess 07]]]

11.1 Privacy and Regulation: Handling Private Information

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2772788a-2211-4f7a-91a6-911856ed4cf5"><ac:plain-text-body><![CDATA[

[[CVE 2008

AA. Bibliography#CVE 08]]]

[CVE-2005-2990

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2990]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b695dcd3-05df-4eb2-b069-01183fb49360"><ac:plain-text-body><![CDATA[

[[Sun 2006

AA. Bibliography#Sun 06]]]

[Java Logging Overview

http://java.sun.com/javase/6/docs/technotes/guides/logging/overview.html]

]]></ac:plain-text-body></ac:structured-macro>


FIO07-J. Do not create temporary files in shared directories      12. Input Output (FIO)      FIO09-J. Detect and handle file-related errors

  • No labels