Java: CWE-532 sensitive info logging #51
Comments
|
Hello @luchua-bc This issue was closed because there was no pull request referenced. Can you please confirm that? |
|
Thanks @xcorail for looking into this issue. Yes, it's related to PR github/codeql#3090. |
|
You might want to test the query against CVE-2019-3888 which I think was fixed by undertow-io/undertow@20cacc9 . Another one CVE-2019-10212 with fix commit undertow-io/undertow@8b63e25 . |
|
Thanks @aibaars for the recommendation. CVE-2019-3888 can be easily tested with searching variable names requestHeaders and responseHeaders, while CVE-2019-10212 can be tested with this query. As JBoss logging is not based on Log4j or SLF4j, the query can be easily extended to accommodate it with the following three minor changes as I tried in my fork: Then the undertow logging issue can be reported by the query: I think it will be nice to add JBoss logging so that the query can be more comprehensive and inclusive although JBoss logging is only used in RedHat products comparing with the other two logging mechanisms. As the PR was already merged, I'm not sure what's the process to get the new change reviewed, approved, then merged from my fork. Please advise. Thanks, |
|
@luchua-bc You can create an additional pull-request or even pull requests with improvements to your query. Adding support for JBoss logging sounds a good addition. Adding the word I'm not too convinced about adding special cases for |
|
Hi @aibaars , As the new PR 3487 has already been merged and closed, is there anything else that I shall do for this issue? Please advise. Thanks, |
|
Thanks @luchua-bc ! I'd suggest adding the CVEs you can now detect to the pull request description above. @xcorail can you take it from here? |
|
Thanks @aibaars . I've added CVE-2019-10212 and the second PR to the pull request description above. |
|
@xcorail Please let me know if you need some information like my HackerOne email address and/or account name from me. Thanks, |
|
Hey @luchua-bc sorry for the delay. |
|
Thanks @xcorail . I've sent my hackerone email address to your GitHub email address. Cheers, |
|
Got it! |
|
|
|
Thanks @xcorail for the bounty. |
|
@luchua-bc, what do you think about including Log4j 2 ( And would it make sense to include |
|
Thanks @Marcono1234 for your suggestions to enhance the query, I think they are good ideas. I've submitted a new PR codeql/pull/3600 to incorporate the changes. |
|
I've written a Medium article for the GitHub queries relevant to the recent critical zero-day vulnerability CVE-2021–44228 affecting Apache Log4j2 that our queries can detect and help to address over one year ago. |
CVE ID(s)
List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.
CVE-2019-10212 (not reported by me)
There are many other examples of this category in the CVE database.
PR:
Semmle/ql#3090
Semmle/ql#3487
Report
Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. Third-party logging utilities like Log4J and SLF4J are widely used in Java projects. When sensitive information are written to logs without properly set logging levels, it is accessible to potential attackers who gains access to the
file storage.
The text was updated successfully, but these errors were encountered: