A Tomcat debug level of 3 or greater could cause sensitive data, including passwords, to be logged.
If you are using Tomcat to perform authentication, the Tomcat deployment descriptor file specifies a "Realm" used for authentication. It looks something like this:
Example:
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="SRN"
userClassNames="com.srn.security.UserPrincipal"
roleClassNames="com.srn.security.RolePrincipal"/>
Realm
tag takes an optional attribute called debug
, which indicates the log level. The higher the number, the more verbose the log messages. If the debug level is set too high, Tomcat will write all usernames and passwords in plaintext to the log file. The cutoff for debugging messages related to Tomcat's JAASRealm
is 3 (3 or above is bad, 2 or below is okay), but this cutoff may vary for the other types of realms that Tomcat provides.
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A6 Information Leakage and Improper Error Handling
[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3620 CAT II
[5] Standards Mapping - FIPS200 - (FISMA) CM
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 215
[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.10
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.5
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.5.6