Skip to content

Latest commit

 

History

History
157 lines (120 loc) · 12.3 KB

mitigations.md

File metadata and controls

157 lines (120 loc) · 12.3 KB

Mitigation Strategies Analysis for qos-ch/logback

Mitigation Strategy: Prevent Log Injection (Log Forging / CRLF Injection) within Logback

  • Description:

    1. Choose a Logback Encoder: Select and configure a Logback Encoder implementation (e.g., PatternLayoutEncoder, LogstashEncoder). PatternLayoutEncoder is the most common and allows you to define the log message format. LogstashEncoder is for structured logging (JSON).
    2. Configure Encoding (PatternLayoutEncoder): If using PatternLayoutEncoder, use the %replace conversion word in your pattern to escape special characters. For example: 
      <pattern>%d %-5level [%thread] %logger{36} - %replace(%msg){'[\r\n]', ''}%n</pattern>
      This replaces carriage returns and newlines with empty strings. You can customize the regular expression and replacement string to handle other characters as needed. Consider using %.-1msg to limit the message length and prevent extremely long injected strings.
    3. Structured Logging (LogstashEncoder): If using LogstashEncoder, pass data as key-value pairs using Logback's StructuredArguments (e.g., kv("key", value)): 
      logger.info("User action", kv("userInput", userInput), kv("action", "submit"));
      Logback's LogstashEncoder will automatically handle the proper escaping and formatting for JSON.
    4. Avoid Direct Concatenation: Never directly concatenate user-supplied data into the log message string before passing it to Logback. Always use parameterized logging or structured arguments.

  • Threats Mitigated:

    • Log Forging: Attackers inject fake log entries. (Severity: Medium to High)
    • CRLF Injection: Attackers inject newline characters. (Severity: Medium)
    • Log-Based Code Execution (Indirect): If the log viewer/processor is vulnerable. (Severity: High - depends on viewer/processor)
    • Data Corruption: Maliciously injected data corrupts log files. (Severity: Medium)

  • Impact:

    • Log Forging: Risk significantly reduced. Encoding prevents injection of fake entries.
    • CRLF Injection: Risk significantly reduced. Encoding neutralizes newline characters.
    • Log-Based Code Execution: Risk significantly reduced (indirectly).
    • Data Corruption: Risk reduced.

  • Currently Implemented:

    • Describe the current Logback configuration related to encoding (e.g., "Using PatternLayoutEncoder with %msg but without %replace"). State whether structured logging is used.

  • Missing Implementation:

    • Describe any missing encoding configuration (e.g., "No %replace used in PatternLayoutEncoder"). If direct string concatenation is used, point it out.

Mitigation Strategy: Mitigate JNDI Lookup Vulnerabilities in Logback

  • Description:

    1. Identify Logback Version: Check your project's dependency management (e.g., pom.xml, build.gradle) for the exact Logback version.
    2. Upgrade Logback (Essential): If the version is older than 1.2.10 (for 1.2.x) or 1.3.0-alpha11 (for 1.3.x), upgrade to a patched version. Update the dependency in your build file and rebuild. This removes the vulnerable JNDI lookup functionality from Logback.
    3. Disable JNDI Lookups (Last Resort - Only if Upgrade is Impossible): If, and only if, upgrading is completely impossible, set the Logback system property logback.logjndi.JndiLookup.enable to false. This is a mitigation, not a fix, and upgrading is always the preferred solution. This property can be set:
      • Via command-line argument: -Dlogback.logjndi.JndiLookup.enable=false
      • Programmatically (less recommended): System.setProperty("logback.logjndi.JndiLookup.enable", "false");

  • Threats Mitigated:

    • Remote Code Execution (RCE) via JNDI Lookup (CVE-2021-42550 and similar): Attackers trigger JNDI lookups to malicious servers. (Severity: Critical)

  • Impact:

    • RCE via JNDI Lookup:
      • Upgrade: Risk eliminated.
      • Disable JNDI Lookups (if upgrade impossible): Risk reduced, but not eliminated.

  • Currently Implemented:

    • State the current Logback version. Indicate whether the upgrade has been done. If the logback.logjndi.JndiLookup.enable property is used, mention it.

  • Missing Implementation:

    • If the Logback version is vulnerable and not upgraded, state this clearly.

Mitigation Strategy: Prevent XXE Attacks via Logback Configuration Files

  • Description:

    1. Disable External Entities (System Properties): Configure the XML parser used by Logback (via Joran and SAX) to disable external entity resolution. This is done through system properties, which must be set before Logback initializes (typically as JVM arguments):
      • -Djavax.xml.parsers.SAXParserFactory=com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl (or another non-vulnerable SAXParserFactory)
      • -Djavax.xml.accessExternalDTD=""
      • -Djavax.xml.accessExternalSchema=""
    2. Schema Validation (If configuration is loaded externally): If the configuration file is loaded from an external source, use a validating XML parser and an XML Schema (XSD) to validate the configuration file before Logback processes it. This is a general XML security best practice, but it's relevant here because Logback uses XML for configuration. This validation should happen outside of Logback's processing.

  • Threats Mitigated:

    • XML External Entity (XXE) Attacks:
      • Information Disclosure: Read arbitrary files. (Severity: High)
      • Denial of Service (DoS): Consume excessive resources. (Severity: Medium)
      • Server-Side Request Forgery (SSRF): Make requests to internal/external systems. (Severity: High)

  • Impact:

    • XXE Attacks:
      • Disable External Entities: Risk significantly reduced.
      • Schema Validation: Risk further reduced (if applicable).

  • Currently Implemented:

    • State whether the system properties to disable external entities are set. Describe any XSD validation if configuration files are loaded externally.

  • Missing Implementation:

    • If the system properties are not set, state this. If external configuration files are loaded without XSD validation, describe the vulnerability.

Mitigation Strategy: Secure Logback Appenders

  • Description: Focus on Logback-specific appender configurations.

    • DBAppender:
      1. Parameterized Queries (Logback Configuration): Ensure that Logback's DBAppender is configured to use parameterized queries. This is usually the default behavior, but verify it in your Logback configuration file. Look for any custom SQL queries within the DBAppender configuration and ensure they are parameterized. Logback handles the parameterization; you just need to ensure custom SQL (if any) is written correctly.
    • SocketAppender / SyslogAppender:
      1. Encrypt Communication (Logback Configuration): Configure the appender to use a secure protocol. For SyslogAppender, use the ssl:// prefix in the syslogHost property. For SocketAppender, use a secure socket factory. This configuration is done within the Logback configuration file.
      2. Authenticate Connections (Logback Configuration): If supported by the appender and the receiving server, configure authentication within the Logback configuration. This might involve setting properties for client certificates or other credentials.

  • Threats Mitigated:

    • DBAppender:
      • SQL Injection: Attackers inject malicious SQL code. (Severity: Critical)
    • SocketAppender / SyslogAppender:
      • Eavesdropping: Attackers intercept log messages. (Severity: Medium to High)
      • Log Spoofing: Attackers send fake log messages. (Severity: Medium)

  • Impact:

    • The impact varies depending on the appender and mitigation.

  • Currently Implemented:

    • Describe the current configuration of each Logback appender used. Specify whether parameterized queries are used (for DBAppender), and whether encryption and authentication are configured (for network appenders).

  • Missing Implementation:

    • Identify any missing security measures within the Logback configuration for each appender. For example, "DBAppender configuration does not explicitly verify parameterized query usage." or "SyslogAppender uses udp:// and does not encrypt communication."

Mitigation Strategy: Masking/Redaction within Logback

  • Description:

    1. Custom Converters (Logback Configuration): Create custom Logback converters that extend ClassicConverter. Override the convert() method to mask or redact sensitive parts of the log message before it's written. Register your custom converter in the Logback configuration file: 
      <conversionRule conversionWord="maskedMsg" converterClass="com.example.MyMaskingConverter" />
<pattern>%d %-5level [%thread] %logger{36} - %maskedMsg%n</pattern>
    2. Filters (Logback Configuration): Use Logback filters (e.g., ch.qos.logback.core.filter.Filter) to selectively remove or modify log events containing sensitive data. You can create custom filters or use existing ones (like EvaluatorFilter with a custom evaluator) to match specific patterns and take action (e.g., deny the event, modify the message). Configure filters within the Logback configuration file, attaching them to specific appenders.
    3. Pattern Layout Modification (Logback Configuration): Carefully design your PatternLayout patterns to exclude sensitive fields. If you're logging objects, use specific conversion words to extract only the non-sensitive parts. Avoid using %message or %msg directly if it might contain sensitive data without proper masking.

  • Threats Mitigated:

    • Information Disclosure: Exposure of sensitive data in log files. (Severity: High to Critical)
    • Compliance Violations: Violating privacy regulations. (Severity: High)

  • Impact:

    • Masking/Redaction: Risk significantly reduced.

  • Currently Implemented:

    • Describe any custom converters, filters, or pattern layout modifications used for masking/redaction within Logback.

  • Missing Implementation:

    • Identify any areas where sensitive data is logged without masking/redaction, and where Logback's features could be used to address this.

Mitigation Strategy: Regularly Audit Logback Configuration

  • Description:

    1. Schedule Regular Audits: Establish a schedule for reviewing Logback configuration files.
    2. Configuration Review: Periodically review Logback configuration files (XML, Groovy) to ensure they are:
      • Up-to-date with the latest security best practices for Logback.
      • Free of any known vulnerabilities (e.g., XXE vulnerabilities, insecure appender settings).
      • Using secure appender configurations as described above.
      • Properly configured for encoding, masking, and filtering.
    3. Stay Informed: Keep up-to-date with security advisories and best practices specifically for Logback.

  • Threats Mitigated:

    • This strategy mitigates all Logback-specific threats by proactively identifying and addressing vulnerabilities in the Logback configuration.

  • Impact:

    • Significantly reduces the risk of all Logback-related vulnerabilities.

  • Currently Implemented:

    • Describe any existing auditing processes specifically for the Logback configuration.

  • Missing Implementation:

    • Identify any gaps in the auditing process related to the Logback configuration. For example, "Logback configuration files are not regularly reviewed for security best practices."