Search code examples
javasonarqubelog4j2

Log4j2 security hotspot issue

This is the code for configuring log4j2.xml file. The problem is that sonar is showing security hotspot issue at setConfiguration. How to avoid it?

String propFile = "log4j2.xml";

LoggerContext logcontext = (org.apache.logging.log4j.core.LoggerContext) 
LogManager.getContext(false);
File logFile = new File(propFile);

logcontext.setConfigLocation(logFile.toURI());
Solution

  • Sonar is showing security hotspot issue.

    It is not an issue. It is Sonar advising you that you need to review that section of code for possible security problems.

    This is what the SonarQube documentation says about Security Hotspots:

    What is a Security Hotspot?

    A Security Hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you'll either find there is no threat or you need to apply a fix to secure the code.

    Another way of looking at hotspots may be the concept of defense in depth in which several redundant protection layers are placed in an application so that it becomes more resilient in the event of an attack.

    Vulnerability or Hotspot?

    The main difference between a hotspot and a vulnerability is the need of a review before deciding whether to apply a fix:

    • With a Hotspot, a security-sensitive piece of code is highlighted, but the overall application security may not be impacted. It's up to the developer to review the code to determine whether or not a fix is needed to secure the code.
    • With a vulnerability, a problem that impacts the application's security has been discovered that needs to be fixed immediately.

    An example of a hotspot is the RSPEC-2092 where the use of cookie secure flag is recommended to prevent cookies from being sent over non-HTTPS connections but a review is needed because:

    • HTTPS is the main protection against MITM attacks and so the secure flag is only an additional protection in case of some failures of network security.
    • The cookie may be designed to be sent everywhere (non-HTTPS websites included) because it's a tracking cookie or similar.

    With hotspots we try to give some freedom to users and to educate them on how to choose the most relevant/appropriate protections depending on the context (budget, threats, etc).

    In this case, the Hotspot message says:

    "Make sure that this logger's configuration is safe. Configuring loggers is security-sensitive." java:S4792

    It is saying ... make sure that you are loading the logger configurations from a safe place; e.g. somewhere that is protected so that "bad actors" (hackers, unauthorized users, etc) can't read (or worse) change the logging config.

    If you don't have a good reason to configure Log4j2 programmatically, don't to it that way. Use the Log4j2 automatic configuration mechanism(s) instead.