You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

Logging is essential for gathering debugging information, carrying out incident response or forensics activities and for maintaining incriminating evidence. However, sensitive data should not be logged for many reasons. Privacy of the stakeholders, limitations imposed by the law on the collection of personal information, and data exposure through insiders are a few concerns. Sensitive information includes and is not limited to IP addresses, user names and passwords, email addresses, credit card numbers and any personally identifiable information such as social security numbers. In JDK v1.4 and above, the java.util.logging class provides the basic logging framework.

While several instances of this anti-pattern can be found in the wild, one example is of the fix provided in the LineControl Java client. Prior to version 0.8.1, the client logged sensitive information such as the local user's password. [[CVE 08]]

Noncompliant Code Example

In this noncompliant code example, a server logs the IP address of the remote client in the event of a security exception. Such data can be misused for nefarious purposes such as building a profile of the user's browsing habits. Many countries disallow the collection of non-anonymous personal data while others allow its retention in an anonymized form.

public void logRemoteIPAddress(String name){
  Logger logger = Logger.getLogger("com.organization.Log");
  InetAddress machine = null;
  try {
    machine = InetAddress.getByName(name);
  } catch (UnknownHostException e){ 
    Exception e = MyExceptionReporter.handle(e);
  } catch (SecurityException e){
    Exception e = MyExceptionReporter.handle(e);
    logger.severe(name + "," + machine.getHostAddress() + "," + e.toString());
  }
} 

Compliant Solution

This compliant solution excludes the sensitive information from the log message.

// ...
catch (SecurityException e){
  Exception e = MyExceptionReporter.handle(e);
  logger.log(Level.FINEST, "Security Exception Occurred", e);
}

If the exception contains sensitive information, the custom MyExceptionReporter class should extract or cleanse it, before returning control to the next statement in the catch block. (EXC05-J. Use a class dedicated to reporting exceptions)

Noncompliant Code Example

Sometimes, some information is fit to be logged but should not be displayed on the console for security reasons (for instance, passenger age). The java.util.logging.Logger class supports different logging levels that can be used for classifying such information. These are FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE. All levels after and including INFO, log the message to the console in addition to an external source.

logger.info(passengerAge);  // displays passenger age on the console 

Compliant Solution

This compliant solution logs at the FINEST level so that the passenger age is not displayed on the console.

logger.finest(passengerAge); // does not display on the console

Noncompliant Code Example

It is also possible for sensitive user data to get recorded without deliberate intent, for example, when the log message uses user supplied input. In this noncompliant code example, the user mistakenly enters personal details (such as an SSN) in the occupation field. A suspicious server might throw an exception during input validation and the entered data will be logged so that intrusion detection systems can operate on it. Clearly, logging personally identifiable information is undesirable.

String str = JOptionPane.showInputDialog(null, "Enter your occupation: ", 
"Tax Help Form", 1);

Compliant Solution

As a first step, a filter can be applied to the input to prevent inadvertent logging of sensitive data. In this compliant solution, a check is enforced so that a string of digits from the SSN field that lies above say the occupation field, does not accidentally show up in the log files.

public class MyFilter implements Filter {
  public boolean isLoggable(LogRecord lr) {
    String msg = lr.getMessage();
    if (msg.matches("\\d*")) {  // Filters out any digits
      return false;
    }
    return true;
  }
}

// Set the filter in main code
Logger logger = Logger.getLogger("com.organization.Log");
logger.setFilter(new MyFilter());

NOTE: A log entry should also contain other parameters such as date, time, source event and so on. Some of these parameters have been omitted from this example for the sake of brevity.

Risk Assessment

Logging sensitive information can break the security of the system and violate user privacy when the logging level is incorrect or when the files are not secured properly.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO30- J

medium

probable

high

P4

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[API 06]]] Class java.util.logging.Logger
[[Sun 06]]] Java Logging Overview
[[CVE 08]]] CVE-2005-2990
[[Chess 07]]] 11.1 Privacy and Regulation: Handling Private Information
[[MITRE 09]] CWE ID 532 "Information Leak Through Log Files", CWE ID 533 "Information Leak Through Server Log Files", CWE ID 359 "Privacy Violation", CWE ID 542 "Information Leak Through Cleanup Log Files"


FIO03-J. Specify the character encoding while performing file or network IO      09. Input Output (FIO)      FIO31-J. Defensively copy mutable inputs and mutable internal components

  • No labels