The API mentioned in the ticket does not read tomcat's log files. "In memory" logger is created for this API and this logger is limited to storing just 100 last log entries.
To call the read_log API request has to be authenticated so we don't think this might be considered a vulnerability.
If there are concerns regarding the fact that any Nolio user might call this API we may add some restrictions for this particular API. This might be done with modifying the applicationContext-acegi-security.xml file in the datamanagement web application ([ReleaseAutomationServer]\webapps\datamanagement\WEB-INF\applicationContext-acegi-security.xml).
Add the following line BETWEEN the interceptor for the "/design/**" pattern AND the interceptor for the "/ra/**" pattern and AFTER the :
<intercept-url pattern="/ra/read_log" access="ROLE_SUPERUSER"/>
You will find 2 sections to add new line in this file: first under "<b:beans profile="basic">" and second under "<b:beans profile="saml">".
This new line will allow the read_log API call for superusers only. Of course the list of acceptable roles might be extended depending on the needs.
Note: This file will be rewritten with Nolio upgrade.