App Suite Security

Error handling

BSI IT-Grundschutz 2023 sections covered by this page
  • CON.8
  • CON.10
  • OPS.1.1.1
  • OPS.1.1.5
  • OPS.1.1.7
  • SYS.1.1
  • SYS.1.6

Error handling concept

All expected and unexpected errors are gracefully handled by OX App Suite to avoid impacting availability. Whenever possible, an erroneous transaction is rolled back to maintain a "fail secure" state and consistency of data and application state.

Logging

OX App Suite offers multiple levels of logging, implementing the principle of "need to know". As an end-user-facing application, multiple levels of information are included in error messages and log output. This makes sure sensitive information is never exposed to a user or attacker, while allowing transparent insight for legitimate operators.

On an operator level, very detailed logging is available to help identify the root cause of errors. These logs may include user-specific information like names, identifiers and stack traces. Each log entry has a unique identifier per node and contains a timestamp with high resolution. This information is useful for troubleshooting and escalating to vendor support. Even more detailed logging can be enabled to monitor object-level changes (audit logging) and individual user activity. Secret information, like credentials or database content, is not part of normal logging output; however, audit logging may expose database content. Access to this level of logging is strictly restricted to system operators, and logs should be treated as confidential information by the operator.

Responses from interfaces with potentially lower levels of trust, for example, provisioning, reseller or end-user interfaces, are heavily restricted to a brief issue description and the unique reference to the log entry that has been generated at the operator level. These responses do not contain any information that is sensitive from a security perspective and do not expose the internal state of the application.

Example

These examples highlight the concept of different log levels based on audience. The same action (log-in failure) is observed differently based on roles.

OX App Suite operators have detailed insight into various attributes of the log-in attempt and can use the information for security information and event monitoring (SIEM):

2023-11-10T12:59:01,918+0000 INFO  [OXWorker-0002452] com.openexchange.login.internal.
LoginPerformer.logLoginRequest(LoginPerformer.java:722)
Login:test IP:88.24.117.67 AuthID:7dad7cd809ab40b0ab7374f9fc4563a5 Agent:Mozilla/5.0
 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko)
 Version/17.1 Safari/605.1.15 Client:open-xchange-appsuite(7.10.6-36)
 Interface:HTTP_JSON No session created.
 com.openexchange.database.schema=configdb
 com.openexchange.grizzly.method=POST
 com.openexchange.grizzly.queryString=<none>
 com.openexchange.grizzly.remoteAddress=88.24.117.67
 com.openexchange.grizzly.remotePort=60708
 com.openexchange.grizzly.requestURI=/ajax/login
 com.openexchange.grizzly.serverName=sandbox.open-xchange.com
 com.openexchange.grizzly.servletPath=/ajax/login
 com.openexchange.grizzly.session=4144140097289391190.OX0
 com.openexchange.grizzly.threadName=OXWorker-0002452
 com.openexchange.grizzly.userAgent=Mozilla/5.0
 com.openexchange.localhost.ipAddress=127.0.1.1
 com.openexchange.localhost.version=7.10.6-Rev53
 com.openexchange.login.authId=7dad7cd809ab40b0ab7374f9fc4563a5
 com.openexchange.login.client=open-xchange-appsuite
 com.openexchange.login.clientIp=88.24.117.67
 com.openexchange.login.login=test
 com.openexchange.login.userAgent=Mozilla/5.0
 com.openexchange.login.version=7.10.6-36
 com.openexchange.request.trackingId=752175688-376099567

The same logging action returns minimal information to the public API, considering that the request may have been triggered by an untrusted person or process:

{
    "error": "The user name or password is incorrect.",
    "error_params": [],
    "categories": "USER_INPUT",
    "category": 1,
    "code": "LGI-0006",
    "error_id": "-752175688-3926",
    "error_desc": "Invalid credentials."
}

Note that the unique log identifier (error-id) is returned to the public API, which allows support agents to map first-level support requests with operational information later on in the resolution process.

Finally, the web application translates the API response into a user-readable format, including localization:

The user name or password is incorrect. (LGI-0006)