Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-20322

Alfresco running with WebLogic throws Header:X-Alfresco-transformException Cannot contain CRLF Charcters

    Details

    • Bug Priority:
      Category 2
    • ACT Numbers:

      00984357, 00984671, 00987008

    • Story Points:
      3

      Description

      Oracle have fixed Security vulnerability https://nvd.nist.gov/vuln/detail/CVE-2017-10178 in WebLogic versions 12.2.1.2 and 12.2.1.3.

      The Oracle fix exposes a problem in Alfresco 5.2.4. When a new document cannot be indexed (e.g. 0 byte pdf or password protected pdf) Alfresco inserts a CRLF into the REST response it sends to Solr. With the security patch installed the CRLF then throws an HTTP 500 in WebLogic while processing the response:

      ERROR [extensions.webscripts.AbstractRuntime] Exception from executeScript: Header:X-Alfresco-transformException Cannot contain CRLF Charcters
      java.lang.IllegalArgumentException: Header:X-Alfresco-transformException Cannot contain CRLF Charcters
              at weblogic.servlet.internal.ServletResponseImpl.checkForCRLFChars(ServletResponseImpl.java:1925)
              at weblogic.servlet.internal.ServletResponseImpl.setHeader(ServletResponseImpl.java:1087)
              at javax.servlet.http.HttpServletResponseWrapper.setHeader(HttpServletResponseWrapper.java:203)
              at org.springframework.extensions.webscripts.servlet.WebScriptServletResponse.setHeader(WebScriptServletResponse.java:87)
              at org.alfresco.repo.web.scripts.solr.NodeContentGet.execute(NodeContentGet.java:239)
              at org.alfresco.repo.web.scripts.RepositoryContainer$3.execute(RepositoryContainer.java:512)
              at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:464)
              at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:587)
              at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:656)
              at org.alfresco.repo.web.scripts.RepositoryContainer.executeScriptInternal(RepositoryContainer.java:355)
              at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:308)
              at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:399)
              at org.springframework.extensions.webscripts.AbstractRuntime.executeScript(AbstractRuntime.java:210)
              at org.springframework.extensions.webscripts.servlet.WebScriptServlet.service(WebScriptServlet.java:132)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
              at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:286)
              at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:260)
              at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:137)
              at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:350)
              at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
              at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
              at org.alfresco.module.aosmodule.service.ContextRootFilter.doFilter(ContextRootFilter.java:93)
              at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
              at org.alfresco.web.scripts.servlet.X509ServletFilterBase.doFilter(X509ServletFilterBase.java:144)
              at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
              at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
              at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
              at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:32)
              at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
              at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3701)
              at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3667)
              at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:326)
              at weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:197)
              at weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203)
              at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71)
              at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2443)
              at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2291)
              at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2269)
              at weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1705)
              at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1665)
              at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:272)
              at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
              at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
              at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
              at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
              at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:652)
              at weblogic.work.ExecuteThread.execute(ExecuteThread.java:420)
              at weblogic.work.ExecuteThread.run(ExecuteThread.java:360)
      

      This causes two critical problems for the customer:
      1. Excessive and repeated exception logs as listed above in alfresco.log.
      2. impacted Solr performance. The Solr log shows the following:

      org.alfresco.error.AlfrescoRuntimeException: 00240000 GetTextContentResponse return status is 500 
      at org.alfresco.solr.client.SOLRAPIClient.getTextContent(SOLRAPIClient.java:1118) 
      at org.alfresco.solr.SolrInformationServer.addContentPropertyToDocUsingAlfrescoRepository(SolrInformationServer.java:2783) 
      at org.alfresco.solr.SolrInformationServer.addContentToDoc(SolrInformationServer.java:2770) 
      at org.alfresco.solr.SolrInformationServer.updateContentToIndexAndCache(SolrInformationServer.java:2703) 
      at org.alfresco.solr.tracker.ContentTracker$ContentIndexWorkerRunnable.doWork(ContentTracker.java:135) 
      at org.alfresco.solr.tracker.AbstractWorkerRunnable.run(AbstractWorkerRunnable.java:47) 
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 
      at java.lang.Thread.run(Thread.java:748) 
      

      The problem appears to be generated by Alfresco code inserting \n characters into the REST response to Solr.

      Steps to Reproduce
      1. Install Alfresco 5.2.4 with WebLogic 12.2.1.2 and apply CVE-2017-10178 from
      https://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixFMW
      2. Upload the attached password protected PDF document to Alfresco
      3. Check the alfresco.log and solr.log for the CRLF exception

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                shareteam Share Team
                Reporter:
                gcussen Gerald Cussen
              • Votes:
                0 Vote for this issue
                Watchers:
                13 Start watching this issue

                Dates

                • Created:
                  Updated: