Corgea LogoCorgea Security Hub

CWE-221: Information Loss or Omission

Learn about CWE-221 (Information Loss or Omission), its security impact, exploitation methods, and prevention guidelines.

What is Information Loss or Omission?

• Overview: Information Loss or Omission (CWE-221) occurs when a product fails to record critical security-related information, or records it incorrectly, leading to potential misjudgments or difficulties in post-incident analysis.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by triggering conditions where security logs or alerts are not generated, thus hiding malicious activities.
  • Common attack patterns include inducing buffer overflows or other errors that cause the system to crash before logging crucial details.

• Security Impact:

  • Direct consequences include the inability to audit security events or understand the impact of certain actions.
  • Potential cascading effects might involve undetected security breaches leading to data loss or further system compromises.
  • Business impact includes compliance violations, financial loss, and damage to the organization’s reputation due to unrecorded or mishandled security incidents.

• Prevention Guidelines:

  • Ensure robust logging mechanisms that can capture and store security events even during system errors or crashes.
  • Implement security best practices such as input validation and error handling to prevent conditions that might cause information loss.
  • Use recommended tools and frameworks that offer reliable logging and monitoring capabilities, ensuring they can handle and recover from unexpected failures.
Corgea can automatically detect and fix Information Loss or Omission in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

Python Example

# transaction_logger.py {1-11}
import logging

def process_transaction(user_id, amount):
    # Simulate a transaction processing and logging
    logging.info(f"Transaction processed for user: {user_id}, amount: {amount}")
    # Vulnerability: The system does not log failed transactions or errors, leading to information omission.
    if amount <= 0:
        # Fail silently without logging the failure
        return "Transaction failed due to invalid amount."
    return "Transaction successful!"

Explanation of the Vulnerability:

  • Information Loss or Omission: The code fails to log critical information about failed transactions. If the amount is invalid (e.g., less than or equal to 0), the function returns a failure message without logging the error or the cause. This omission can hinder debugging, auditing, and detecting fraudulent activities.

How to fix Information Loss or Omission?

To fix this issue:

  1. Log All Outcomes: Ensure that all transactions, whether successful or failed, are logged with sufficient detail. This includes logging the reason for any failures.
  2. Use Appropriate Log Levels: Use different log levels (e.g., INFO, WARNING, ERROR) to differentiate between normal, suspicious, and erroneous events.
  3. Include Contextual Information: Provide context in logs to facilitate effective monitoring and analysis.

Fixed Code Example

Python Example

# transaction_logger.py {1-14}
import logging

# Configure logging to include timestamps and log level
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')

def process_transaction(user_id, amount):
    # Log the beginning of the transaction processing
    logging.info(f"Initiating transaction for user: {user_id}, amount: {amount}")
    
    # Check for valid transaction amount
    if amount <= 0:
        # Log the failure with appropriate log level and detailed message
        logging.error(f"Transaction failed for user: {user_id} due to invalid amount: {amount}")
        return "Transaction failed due to invalid amount."
    
    # Log successful transaction processing
    logging.info(f"Transaction successful for user: {user_id}, amount: {amount}")
    return "Transaction successful!"

Explanation of the Fix:

  • Comprehensive Logging: The code now logs all transactions, including successful and failed ones, with a detailed message.
  • Error Logging: Any transaction failure is logged with the ERROR level, providing clear information about why the transaction failed.
  • Improved Log Configuration: The logging configuration now includes timestamps and log levels to aid in tracking and analyzing logs.

This approach ensures that transactions are fully auditable, and any anomalies or errors can be detected and addressed promptly.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-221: Information Loss or Omission and get remediation guidance

Start for free and no credit card needed.