SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 66 Next »

Exceptions that are thrown while logging is in progress can prevent successful logging unless special care is taken. Failure to account for exceptions during the logging process can cause security vulnerabilities such as allowing an attacker to conceal critical security exceptions by preventing them from being logged. Consequently, programs must ensure that data logging continues to operate correctly even when exceptions are thrown during the logging process.

Noncompliant Code Example

This noncompliant code example writes a critical security exception to the standard error stream. 

try {
  // ...
} catch (SecurityException se) {
  System.err.println(e);
  // Recover from exception
}

Writing such exceptions to the standard error stream is inadequate for logging purposes. First, the standard error stream may be exhausted, preventing recording of subsequent exceptions. Second, the trust level of the standard error stream may be insufficient for recording certain security critical exceptions or errors without leaking sensitive information. If an I/O error occurs while writing the security exception, the catch block will throw an IOException and the critical security exception will be lost. Finally, an attacker may disguise the exception so that it occurs with several other innocuous exceptions.

Similarly, using Console.printf(), System.out.print*() or e.printStackTrace() to output a security exception also constitutes a violation of this guideline.

Compliant Solution

This compliant solution uses java.util.logging.Logger, the default logging API provided by JDK 1.4 and later. Use of other compliant logging mechanisms, such as log4j, is also permitted.

try {
  // ...
} catch(SecurityException se) {
  logger.log(Level.SEVERE, se);
  // Recover from exception
}

Typically, only one logger is required for the entire program.

Exceptions

EXC07-EX0: Some application servers such as IBM's WebSphere automatically log critical security exceptions such as AccessControlException. However, such servers may fail to log the entire set of exceptions considered critical in the security model for any particular program. Consequently, programs must appropriately log all critical security exceptions beyond those logged by their application server.

Risk Assessment

Exceptions thrown during data logging can cause loss of data and can conceal security problems.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

EXC07-J

medium

likely

high

P6

L2

Related Vulnerabilities

HARMONY-5981

Bibliography

[[API 2006]] Class Logger
[[JLS 2005]] Chapter 11, Exceptions
[[Ware 2008]]

ERR06-J. Do not allow exceptions to expose sensitive information      06. Exceptional Behavior (ERR)      ERR09-J. Restrict calls to System.exit() to trusted code only

  • No labels