Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-20305

Oracle schema validation check failure with ojdbc7.jar version 12.1.0.2

    Details

    • Bug Priority:
      Category 1
    • ACT Numbers:

      00983386

      Description

      The following WARN log was reported in an Alfresco 5.2.4 bootstrap with a clean schema installation

      2018-11-28 10:00:48,285 INFO [domain.schema.SchemaBootstrap] All executed statements: /tmp/Alfresco/AlfrescoSchema-AlfrescoOracle9Dialect-All_Statements-2350127769449230540.sql. 
      2018-11-28 10:01:02,363 WARN [domain.schema.SchemaBootstrap] Schema validation found 41 potential problems, results written to: /tmp/Alfresco/Alfresco-AlfrescoOracle9Dialect-Validation-Post-Upgrade-alf_-4800688769193055750.txt 
      2018-11-28 10:01:02,607 WARN [domain.schema.SchemaBootstrap] Schema validation found 1 potential problems, results written to: /tmp/Alfresco/Alfresco-AlfrescoOracle9Dialect-Validation-Post-Upgrade-act_-7880680268048640379.txt 
      

      The WARN refers to 41 missing sequences in the target schema. In fact all the sequences are created in the schema. The problem is the validation check made by Alfresco has been blocked in the ojdbc7.jar driver when this driver is version 12.1.0.2. Reverting the ojdbc7.jar to the previous version 12.1.0.1 avoids the problem.

      The customer reports the problem could be related to security change CVE-2016-3506 which is applied to ojdbc7.jar v 12.1.0.2. They downloaded ojdbc7.jar from this Oracle location:
      https://www.oracle.com/technetwork/database/features/jdbc/default-2280470.html

      In their analysis the schema validation fails because of the way the sequences are requested by Alfresco.

      A similar case is reported when Jira uses ojdbc7.jar v 12.1.0.2 - reference: https://jira.atlassian.com/browse/JRASERVER-61007

      Snipped from this JRASERVER-61007:

      "the existing implementation invokes DatabaseMetaData#getTables to retrieve the sequences in oracle with the types parameter being set as "SEQUENCE". However, due to a security patch - CVE-2016-3506, the "SEQUENCE" is not treated as legal input anymore."

      It looks like Alfresco is using the same getTables() method in the validation class
      org.alfresco.util.schemacomp.ExportDb to retrieve information about the schema sequences:

      private void extractSchema(DatabaseMetaData dbmd, String schemaName, String prefixFilter) 
      throws SQLException, IllegalArgumentException, IllegalAccessException 
      { 
      if (log.isDebugEnabled()) 
      { 
      log.debug("Retrieving tables: schemaName=[" + schemaName + "], prefixFilter=[" + prefixFilter + "]"); 
      } 
      
      final ResultSet tables = dbmd.getTables(null, schemaName, prefixFilter, new String[] 
      { 
      "TABLE", "VIEW", "SEQUENCE" 
      }); 
      

      If the sequences are not returned here, because of a change in driver version 12.1.0.2, then Alfresco will log the missing sequences warning.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                custeng Customer Engineering
                Reporter:
                gcussen Gerald Cussen
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: