CVE-2022-21704 Overview
CVE-2022-21704 is an insecure permissions vulnerability in log4js-node, a popular port of log4js to Node.js. In affected versions, the default file permissions for log files created by the file, fileSync, and dateFile appenders are world-readable (in Unix-based systems). This misconfiguration could lead to sensitive information disclosure if log files contain confidential data such as user credentials, session tokens, API keys, or personally identifiable information.
Critical Impact
Log files created with default settings are world-readable, potentially exposing sensitive application data to any local user on the system.
Affected Products
- log4js-node (versions prior to 6.4.0)
- Debian Linux 10.0
Discovery Timeline
- 2022-01-19 - CVE-2022-21704 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21704
Vulnerability Analysis
This vulnerability stems from improper default file permissions (CWE-276) in the log4js-node library. When applications use the file, fileSync, or dateFile appenders without explicitly specifying the mode parameter in their configuration, log files are created with world-readable permissions. This allows any user on the system to read the contents of these log files.
The vulnerability requires local access to exploit, as an attacker must be able to read files on the same system where the vulnerable application is running. While this limits the attack surface, multi-tenant environments, shared hosting platforms, and systems with multiple user accounts are particularly at risk.
Root Cause
The root cause of CVE-2022-21704 is the absence of secure default file permissions in the log4js-node library. When creating log files, the library did not apply restrictive permissions by default, leaving files accessible to all users on the system. The fix, implemented in the streamroller dependency, changes the default file creation mode to be more restrictive, ensuring log files are only readable by the file owner.
Attack Vector
The attack vector for this vulnerability is local access exploitation. An attacker with a valid user account on the affected system can navigate to the directory where log files are stored and read their contents without requiring elevated privileges. The exploitation path involves:
- Identifying applications using vulnerable versions of log4js-node
- Locating the log file storage directory
- Reading log files containing potentially sensitive information
- Extracting credentials, tokens, or other confidential data from the logs
Due to the nature of this vulnerability, exploitation does not require any sophisticated techniques—simple file read operations are sufficient once the attacker has local access.
Detection Methods for CVE-2022-21704
Indicators of Compromise
- Log files with permissions set to 644 or more permissive (world-readable)
- Unexpected user access to application log directories
- Evidence of log file enumeration by non-administrative users
- Audit logs showing read access to sensitive log files by unauthorized accounts
Detection Strategies
- Run ls -la on log directories to identify files with world-readable permissions
- Use file integrity monitoring to detect permission changes on log files
- Implement audit rules with auditd to monitor access to log file directories
- Scan for log4js-node dependencies with versions prior to 6.4.0 using npm audit or software composition analysis tools
Monitoring Recommendations
- Enable file access auditing on directories containing application logs
- Configure SIEM alerts for unusual log file access patterns
- Monitor for bulk file enumeration activities in log directories
- Implement regular permission audits using automated scripts or security scanners
How to Mitigate CVE-2022-21704
Immediate Actions Required
- Upgrade log4js-node to version 6.4.0 or later
- Review existing log files and update permissions to restrict access (chmod 600)
- Audit log file contents for any sensitive information that may have been exposed
- Implement explicit mode parameter in log4js configuration to enforce restrictive permissions
Patch Information
The vulnerability has been addressed in log4js-node version 6.4.0. The fix was implemented through updates to both the main log4js-node repository and the streamroller dependency. Organizations should update their dependencies to the patched versions:
- Update log4js-node to version 6.4.0 or later via npm
- Review the GitHub Changelog Entry for details on the fix
- Consult the GitHub Security Advisory GHSA-82v2-mx6x-wq7q for additional remediation guidance
- Debian users should apply updates per the Debian LTS Security Announcement
Workarounds
- Explicitly set the mode parameter in your log4js appender configuration to restrict file permissions (e.g., mode: 0o600)
- Move log files to directories accessible only by the application user
- Use operating system-level access controls to restrict the log directory
- Consider using centralized logging solutions that do not store sensitive data locally
# Configuration example
# Update package.json and install patched version
npm install log4js@6.4.0
# Manually fix permissions on existing log files
find /var/log/myapp -name "*.log" -exec chmod 600 {} \;
# Verify permissions are restrictive
ls -la /var/log/myapp/*.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
