Tomcat technical logs fully accessible
search cancel

Tomcat technical logs fully accessible

book

Article ID: 263822

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

Security team has made a penetration test on RA production environment (Version: 6.7.0.398) and found that technical logs are accessible through '/datamanagement/ra/read_log' API.
Tomcat server logs are accessible without restriction from an API endpoint.

Example:
https://releaseautomationserver:8080/datamanagement/ra/read_log

The security team has the following recommandation:
Application logs from the “tomcat” server should not be exposed through this API.

Please provide a method that does not let user access technical informations.

Environment

Release : 6.7

Cause

Limitation of Apache Tomcat.

Resolution

The API mentioned in the ticket does not read tomcat's log files. "In memory" logger is created for this API and this logger is limited to storing just 100 last log entries.

To call the read_log API request has to be authenticated so we don't think this might be considered a vulnerability.

If there are concerns regarding the fact that any Nolio user might call this API we may add some restrictions for this particular API. This might be done with modifying the applicationContext-acegi-security.xml file in the datamanagement web application ([ReleaseAutomationServer]\webapps\datamanagement\WEB-INF\applicationContext-acegi-security.xml).

Add the following line BETWEEN the interceptor for the "/design/**" pattern AND the interceptor for the "/ra/**" pattern and AFTER the :

<intercept-url pattern="/ra/read_log" access="ROLE_SUPERUSER"/>

You will find 2 sections to add new line in this file: first under "<b:beans profile="basic">" and  second under "<b:beans profile="saml">".

This new line will allow the read_log API call for superusers only. Of course the list of acceptable roles might be extended depending on the needs.

Note: This file will be rewritten with Nolio upgrade.