[Bug 69822] New: Log injection vulnerability in AbstractProcessorLight class allows attackers to manipulate application logs by injecting malicious content through unsanitized input in trace logging statements.

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=69822

            Bug ID: 69822
           Summary: Log injection vulnerability in AbstractProcessorLight
                    class allows attackers to manipulate application logs
                    by injecting malicious content through unsanitized
                    input in trace logging statements.
           Product: Tomcat 11
           Version: 11.0.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: coderdz...@gmail.com
  Target Milestone: -------

Created attachment 40104
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=40104&action=edit
a full report about bug

# Security Analysis Report: Log Injection Vulnerability in
AbstractProcessorLight

## Vulnerability Summary

**Vulnerability Type:** Log Injection (CWE-117: Improper Output Neutralization
for Logs)  
**CWE:** 117  
**Severity:** Medium  
**Location:** `org.apache.coyote.AbstractProcessorLight.process()` method  
**Affected Code Lines:** Multiple trace logging statements  

## Vulnerability Details

The identified vulnerability is a **Log Injection** issue occurring in multiple
trace logging statements within the `process()` method. Attackers can inject
malicious content (such as fake log entries, newline characters, or other
control sequences) into application logs by manipulating input values that
eventually get logged without proper sanitization.

### Affected Code Segments

1. **First vulnerable trace log** (Line ~25):
```java
this.getLog().trace((Object)("Processing dispatch type: [" +
String.valueOf((Object)nextDispatch) + "]"));
```

2. **Second vulnerable trace log** (Line ~45):
```java
this.getLog().trace((Object)("Socket: [" + String.valueOf(socketWrapper) + "],
Status in: [" + String.valueOf((Object)status) + "], State out: [" +
String.valueOf((Object)state) + "]"));
```

3. **Third vulnerable trace log** (Line ~50):
```java
this.getLog().trace((Object)("Socket: [" + String.valueOf(socketWrapper) + "],
State after async post processing: [" + String.valueOf((Object)state) + "]"));
```

### Root Cause

The vulnerability exists because the code directly concatenates
user/application-controlled values (`nextDispatch`, `socketWrapper`, `status`,
`state`) into log messages without proper sanitization or encoding. This allows
an attacker to:

1. Inject fake log entries by including newline characters
2. Obfuscate malicious activities by manipulating log content
3. Potentially execute log viewer exploits if the logging system interprets
certain control sequences
4. Compromise log integrity and forensic analysis capabilities

### Attack Vectors

An attacker could exploit this vulnerability by:
1. Manipulating HTTP requests to influence the values being logged
2. Crafting malicious payloads that get reflected in the `DispatchType`, socket
status, or state values
3. Injecting carriage return (`\r`) and newline (`\n`) characters to create
fake log entries
4. Attempting to exploit vulnerabilities in log viewing tools through specially
crafted input

## Proof of Concept

An attacker could potentially send a crafted request that results in a
`DispatchType` containing newline characters:

```
MaliciousDispatchType\n[ERROR] Authentication failed for user admin
```

This would result in a log entry that appears as:
```
Processing dispatch type: [MaliciousDispatchType]
[ERROR] Authentication failed for user admin
```

Creating a false log entry that could be used to hide malicious activities or
mislead investigators.

## Impact Assessment

- **Integrity Impact:** Medium - Log files can be manipulated to insert false
entries
- **Availability Impact:** Low - Potential for log file corruption or excessive
growth
- **Confidentiality Impact:** Low - Possible information disclosure through log
manipulation
- **Auditing Impact:** High - Compromises the integrity of audit trails and
forensic analysis

## Recommended Fix

Implement proper log sanitization by neutralizing potentially dangerous
characters before logging:

```java
// Create a utility method for log sanitization
private String sanitizeForLog(String input) {
    if (input == null) return null;
    return input.replaceAll("[\r\n]", "");
}

// Use it in the logging statements
this.getLog().trace((Object)("Processing dispatch type: [" + 
    sanitizeForLog(String.valueOf((Object)nextDispatch)) + "]"));
```

Alternatively, use a logging framework that supports parameterized messages
with proper encoding:

```java
this.getLog().trace("Processing dispatch type: [{}]", nextDispatch);
```

## References

- CWE-117: Improper Output Neutralization for Logs
- OWASP Log Injection: https://owasp.org/www-community/attacks/Log_Injection
- Apache Tomcat Security Guidelines

# by rootboot

This vulnerability should be addressed in future releases of Apache Tomcat to
ensure the integrity of logging mechanisms.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org