Corgea LogoCorgea Security Hub

CWE-537: Java Runtime Error Message Containing Sensitive Information

Learn about CWE-537 (Java Runtime Error Message Containing Sensitive Information), its security impact, exploitation methods, and prevention guidelines.

What is Java Runtime Error Message Containing Sensitive Information?

• Overview: Java Runtime Error Message Containing Sensitive Information (CWE-537) occurs when error messages disclose sensitive information due to unhandled exceptions. This can allow attackers to learn about the system and potentially find ways to exploit it.

• Exploitation Methods:

  • Attackers can intentionally trigger unhandled exceptions to view error messages.
  • Common attack patterns include sending unexpected input to uncover detailed stack traces or system information.

• Security Impact:

  • Direct consequences include leakage of sensitive data such as file paths, user information, or system configuration details.
  • Potential cascading effects include aiding attackers in further attacks such as SQL injection or buffer overflows.
  • Business impact can involve reputational damage, legal liabilities, and financial loss due to data breaches.

• Prevention Guidelines:

  • Specific code-level fixes include implementing try-catch blocks and custom error handling to prevent detailed error messages from being exposed.
  • Security best practices involve sanitizing all error messages and logging full error details securely without displaying them to the user.
  • Recommended tools and frameworks include using logging frameworks that support configurable log levels and integrating security libraries that help mask sensitive information.
Corgea can automatically detect and fix Java Runtime Error Message Containing Sensitive Information in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Java

Affected Technologies: Not specified

Vulnerable Code Example

// DatabaseConnection.java {15-20}
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;

public class DatabaseConnection {

    private static final String DB_URL = "jdbc:mysql://localhost:3306/mydb";
    private static final String USER = "root";
    private static final String PASS = "password";

    public void connect() {
        try {
            Connection conn = DriverManager.getConnection(DB_URL, USER, PASS);
            System.out.println("Connection successful!");
            // Perform database operations
        } catch (SQLException e) {
            // Vulnerable: Printing stack trace can reveal sensitive information such as database credentials
            e.printStackTrace(); // {15-20}
        }
    }
}

How to fix Java Runtime Error Message Containing Sensitive Information?

To fix the vulnerability of exposing sensitive information through error messages, adhere to the following best practices:

  1. Avoid Printing Stack Traces: Directly printing stack traces can expose sensitive information, such as file paths or database credentials, to potential attackers. This information can be exploited to further compromise the system.

  2. Log Securely: Use a logging framework that allows controlled verbosity of logs and ensures sensitive information is not included. Proper logging practices include using log levels (INFO, WARN, ERROR) and ensuring sensitive data is either masked or not logged at all.

  3. User-friendly Error Messages: Provide generic error messages to users rather than detailed system exceptions. This helps prevent attackers from gaining insights into the system internals.

  4. Use Custom Exceptions: Implement custom exceptions to handle specific error conditions and provide meaningful messages without exposing sensitive details.

Fixed Code Example

// DatabaseConnection.java {15-21}
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.logging.Level;
import java.util.logging.Logger;

public class DatabaseConnection {

    private static final String DB_URL = "jdbc:mysql://localhost:3306/mydb";
    private static final String USER = "root";
    private static final String PASS = "password";

    // Secure logging setup
    private static final Logger logger = Logger.getLogger(DatabaseConnection.class.getName());

    public void connect() {
        try {
            Connection conn = DriverManager.getConnection(DB_URL, USER, PASS);
            System.out.println("Connection successful!");
            // Perform database operations
        } catch (SQLException e) {
            // Fixed: Use logging framework to log the exception securely without exposing sensitive details
            logger.log(Level.SEVERE, "Database connection failed", e); // {15-21}
            // Provide a generic error message to the user
            System.out.println("An error occurred while connecting to the database. Please try again later.");
        }
    }
}

In the fixed code example, we use the Logger class to log exceptions securely, which provides control over the output and ensures sensitive information is not exposed. Additionally, we provide a generic error message to the user, preventing the leakage of internal system details.

Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-537: Java Runtime Error Message Containing Sensitive Information and get remediation guidance

Start for free and no credit card needed.