Incorrect Ownership Assignment in log4js-node/log4js-node

Valid

Reported on

Jan 11th 2022


BUG

any unprivileged user can see log file and sensitive information disclosed

SUMMURY

log4js create log file to store the log . Log may contain many sentsitive information like username,password,token,api-key etc .
So, this log file should not accessed by other user .
But when log4js create log file then file permission is -rw-r-r-- 1 user user 345 Jan 11 14:47 combined.log which can be access by any user.
In linux system there may be many user with different privileged . but any user can see this log file .

STEP TO RERPODUCE

run bellow code

const log4js = require("log4js");
log4js.configure({
  appenders: { cheese: { type: "file", filename: "combined.log" } },
  categories: { default: { appenders: ["cheese"], level: "error" } }
});
 
const logger = log4js.getLogger("cheese");
logger.trace("your password is password123");
logger.debug("your password is password123.");
logger.info("your password is password123.");


Now a combined.log file will be created with all log information . check file permission

user@user-xx:~$ ls -lh combined.log
-rw-r-r-- 1 user user 345 Jan 11 14:47 combined.log

So, this file has read permission for all system user . Thus any user can read this log file .I see mostly all webserver , logger etc log there info in a file and it is only accessed by current user who created the file . But in this case it has read permission for all user .

SUGGESTED FIX

You should change the logfile permision to be access only by current user who crated the file .

We are processing your report and will contact the log4js-node team within 24 hours. 5 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 5 months ago
We have contacted a member of the log4js-node team and are waiting to hear back 4 months ago
log4js-node/log4js-node maintainer
4 months ago

Maintainer


So this is just a problem with the default permission used when creating a log file? Easy enough to fix, and every version of log4js ever published has a workaround where you can supply the permissions you want the files to use. It's also mentioned in the docs that it is the default file permission. What's the next step - do I need to create a Github security advisory thing?

log4js-node/log4js-node maintainer
4 months ago

Maintainer


Also the CWE referenced above seems wrong - should it be CWE-276 (Incorrect default permissions)?

log4js-node/log4js-node maintainer
4 months ago

Maintainer


When I calculate the severity using Github's CVSS tool, I get "moderate 5.5", not high - am I doing something wrong? The vector string is "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"

ranjit-git modified the report
4 months ago
ranjit-git
4 months ago

Researcher


@maintainer I just updated the severity here to medium . But not able to change the cwe. Plz take a look. Also plz validate the report if possible.

log4js-node/log4js-node maintainer
4 months ago

Maintainer


@admin are you able to change the cwe for us?

ranjit-git
4 months ago

Researcher


hi @maintainer, i did not found cwe-276(incorrect defualt permision) here but found matching cwe "incorrect ownership asignment" "incorrect privilege asignment" Let me know which one you prefer , i will change that Thanks

ranjit-git
4 months ago

Researcher


Or i will ask admin in discord to change cwe to matching one

Jamie Slome
4 months ago

Admin


Hello all 👋

Yes, we can adjust the CWE here, and add a new one to our database, if it does not exist to apply it to this report.

Can you please confirm @maintainer - which CWE would you like for this report?

We have sent a follow up to the log4js-node team. We will try again in 7 days. 4 months ago
log4js-node/log4js-node maintainer
4 months ago

Maintainer


Ok, I think CWE-708 (Incorrect Ownership Assignment) is more appropriate than the current one. If we can change it to that, I'm happy to validate the report.

Jamie Slome
4 months ago

Admin


@ranjit-git - please adjust the CWE type by editing the report to:

CWE-708 (Incorrect Ownership Assignment)

Gareth Jones
4 months ago

Maintainer


We have published a fix for this in log4js@6.4.0, and a security advisory is here: https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q

Jamie Slome
4 months ago

Admin


Thank you for the update Gareth!

We have sent a second follow up to the log4js-node team. We will try again in 10 days. 4 months ago
We have sent a third and final follow up to the log4js-node team. This report is now considered stale. 4 months ago
Gareth Jones
4 months ago

Maintainer


Just waiting for the CWE type to be changed before I can validate the report and close this out.

ranjit-git modified the report
4 months ago
Jamie Slome
4 months ago

Admin


@nomiddlename - I have updated the report for you to CWE-708!

Feel free to proceed with the approval and confirmation of fix ♥️

log4js-node/log4js-node maintainer validated this vulnerability 4 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
log4js-node/log4js-node maintainer confirmed that a fix has been merged on 804225 4 months ago
The fix bounty has been dropped
logger.js#L1-L139 has been validated
file.js#L1-L122 has been validated
log4js.js#L43-L150 has been validated
fileSync.js#L1-L206 has been validated
to join this conversation