Log4j2 安全热点问题

Question

This is the code for configuring log4j2.xml file. The problem is that sonar is showing security hotspot issue at setConfiguration. How to avoid it?

String propFile = "log4j2.xml";

LoggerContext logcontext = (org.apache.logging.log4j.core.LoggerContext) 
LogManager.getContext(false);
File logFile = new File(propFile);

logcontext.setConfigLocation(logFile.toURI());

Answer 1

Sonar is showing security hotspot issue.

It is not an issue. It is Sonar advising you that you need to review that section of code for possible security problems.

This is what theSonarQube documentation says about Security Hotspots:

What is a Security Hotspot?

A Security Hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you'll either find there is no threat or you need to apply a fix to secure the code.

Another way of looking at hotspots may be the concept of defense in depth in which several redundant protection layers are placed in an application so that it becomes more resilient in the event of an attack.

Vulnerability or Hotspot?

The main difference between a hotspot and a vulnerability is the need of a review before deciding whether to apply a fix:

• With a Hotspot, a security-sensitive piece of code is highlighted, but the overall application security may not be impacted. It's up to the developer to review the code to determine whether or not a fix is needed to secure the code.
• With a vulnerability, a problem that impacts the application's security has been discovered that needs to be fixed immediately.

An example of a hotspot is the RSPEC-2092 where the use of cookie secure flag is recommended to prevent cookies from being sent over non-HTTPS connections but a review is needed because:

• HTTPS is the main protection against MITM attacks and so the secure flag is only an additional protection in case of some failures of network security.
• The cookie may be designed to be sent everywhere (non-HTTPS websites included) because it's a tracking cookie or similar.

With hotspots we try to give some freedom to users and to educate them on how to choose the most relevant/appropriate protections depending on the context (budget, threats, etc).

---

In this case, the Hotspot message says:

"Make sure that this logger's configuration is safe. Configuring loggers is security-sensitive." java:S4792

It is saying ... make sure that you are loading the logger configurations from a safe place; eg somewhere that is protected so that "bad actors" (hackers, unauthorized users, etc) can't read (or worse) change the logging config.

If you don't have a good reason to configure Log4j2 programmatically, don't to it that way. Use the Log4j2 automatic configuration mechanism(s) instead.

Answer 2

First, please read Stephen C answer, as it provides the documented explanation of what a Security Hotspot is.

Second, this is from the documentation Sonar provides about the specific SH in particular:

Ask Yourself Whether

• unauthorized users might have access to the logs, either because they are stored in an insecure location or because the application gives access to them. the logs contain sensitive information on a production server. This can happen when the logger is in debug mode.
• the log can grow without limit. This can happen when additional information is written into logs every time a user performs an action and the user can perform the action as many times as he/she wants.
• the logs do not contain enough information to understand the damage an attacker might have inflicted. The loggers mode (info, warn, error) might filter out important information. They might not print contextual information like the precise time of events or the server hostname.
• the logs are only stored locally instead of being backuped or replicated.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

• Check that your production deployment doesn't have its loggers in "debug" mode as it might write sensitive information in logs. Production logs should be stored in a secure location which is only accessible to system administrators.
• Configure the loggers to display all warnings, info and error messages. Write relevant information such as the precise time of events and the hostname.
• Choose log format which is easy to parse and process automatically. It is important to process logs rapidly in case of an attack so that the impact is known and limited.
• Check that the permissions of the log files are correct. If you index the logs in some other service, make sure that the transfer and the service are secure too.
• Add limits to the size of the logs and make sure that no user can fill the disk with logs. This can happen even when the user does not control the logged information. An attacker could just repeat a logged action many times.

Remember that configuring loggers properly doesn't make them bullet-proof. Here is a list of recommendations explaining on how to use your logs:

• Don't log any sensitive information. This obviously includes passwords and credit card numbers but also any personal information such as user names, locations, etc…​ Usually any information which is protected by law is good candidate for removal.
• Sanitize all user inputs before writing them in the logs. This includes checking its size, content, encoding, syntax, etc…​ As for any user input, validate using whitelists whenever possible. Enabling users to write what they want in your logs can have many impacts. It could for example use all your storage space or compromise your log indexing service.
• Log enough information to monitor suspicious activities and evaluate the impact an attacker might have on your systems. Register events such as failed logins, successful logins, server side input validation failures, access denials and any important transaction.
• Monitor the logs for any suspicious activity.

In other words, you need to validate whether your implementation covers these recommendations or if you even need to worry about any of them. In case there's nothing to worry about, you can just set it "as reviewed". I would advice that someone other than you check this too, however. Perhaps whoever is in charge of the server where the log is written to.

The only way to "get rid" of this hotspot issue is by not using a log or manually checking that everything is ok. Of course, you should do the latter if you need a logger.