Incorrect Ownership Assignment in log4js-node/log4js-node
Reported on
Jan 11th 2022
BUG
any unprivileged user can see log file and sensitive information disclosed
SUMMURY
log4js create log file to store the log . Log may contain many sentsitive information like username,password,token,api-key etc .
So, this log file should not accessed by other user .
But when log4js create log file then file permission is -rw-r-r-- 1 user user 345 Jan 11 14:47 combined.log which can be access by any user.
In linux system there may be many user with different privileged . but any user can see this log file .
STEP TO RERPODUCE
run bellow code
const log4js = require("log4js");
log4js.configure({
appenders: { cheese: { type: "file", filename: "combined.log" } },
categories: { default: { appenders: ["cheese"], level: "error" } }
});
const logger = log4js.getLogger("cheese");
logger.trace("your password is password123");
logger.debug("your password is password123.");
logger.info("your password is password123.");
Now a combined.log file will be created with all log information .
check file permission
user@user-xx:~$ ls -lh combined.log
-rw-r-r-- 1 user user 345 Jan 11 14:47 combined.log
So, this file has read permission for all system user . Thus any user can read this log file .I see mostly all webserver , logger etc log there info in a file and it is only accessed by current user who created the file . But in this case it has read permission for all user .
SUGGESTED FIX
You should change the logfile permision to be access only by current user who crated the file .
SECURITY.md
a year ago
So this is just a problem with the default permission used when creating a log file? Easy enough to fix, and every version of log4js ever published has a workaround where you can supply the permissions you want the files to use. It's also mentioned in the docs that it is the default file permission. What's the next step - do I need to create a Github security advisory thing?
Also the CWE referenced above seems wrong - should it be CWE-276 (Incorrect default permissions)?
When I calculate the severity using Github's CVSS tool, I get "moderate 5.5", not high - am I doing something wrong? The vector string is "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
@maintainer I just updated the severity here to medium . But not able to change the cwe. Plz take a look. Also plz validate the report if possible.
@admin are you able to change the cwe for us?
hi @maintainer, i did not found cwe-276(incorrect defualt permision) here but found matching cwe "incorrect ownership asignment" "incorrect privilege asignment" Let me know which one you prefer , i will change that Thanks
Or i will ask admin in discord to change cwe to matching one
Hello all 👋
Yes, we can adjust the CWE here, and add a new one to our database, if it does not exist to apply it to this report.
Can you please confirm @maintainer - which CWE would you like for this report?
Ok, I think CWE-708 (Incorrect Ownership Assignment) is more appropriate than the current one. If we can change it to that, I'm happy to validate the report.
@ranjit-git - please adjust the CWE type by editing the report to:
CWE-708 (Incorrect Ownership Assignment)
We have published a fix for this in log4js@6.4.0, and a security advisory is here: https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q
Just waiting for the CWE type to be changed before I can validate the report and close this out.
@nomiddlename - I have updated the report for you to CWE-708!
Feel free to proceed with the approval and confirmation of fix ♥️