Tomcat technical logs fully accessible
Article ID: 263822
Updated On:
Products
Issue/Introduction
Security team has made a penetration test on RA production environment (Version: 6.7.0.398) and found that technical logs are accessible through '/datamanagement/ra/read_log' API.
Tomcat server logs are accessible without restriction from an API endpoint.
Example:
https://releaseautomationserver:8080/datamanagement/ra/read_log
The security team has the following recommandation:
Application logs from the “tomcat” server should not be exposed through this API.
Please provide a method that does not let user access technical informations.
Environment
Release : 6.7
Cause
Limitation of Apache Tomcat.
Resolution
The API mentioned in the ticket does not read tomcat's log files. "In memory" logger is created for this API and this logger is limited to storing just 100 last log entries.
To call the read_log API request has to be authenticated so we don't think this might be considered a vulnerability.
If there are concerns regarding the fact that any Nolio user might call this API we may add some restrictions for this particular API. This might be done with modifying the applicationContext-acegi-
Add the following line BETWEEN the interceptor for the "/design/**" pattern AND the interceptor for the "/ra/**" pattern and AFTER the :
<intercept-url pattern="/ra/read_log" access="ROLE_SUPERUSER"/>
You will find 2 sections to add new line in this file: first under "<b:beans profile="basic">" and second under "<b:beans profile="saml">".
This new line will allow the read_log API call for superusers only. Of course the list of acceptable roles might be extended depending on the needs.
Feedback
