tracker issue : CF-4205821

select a category, or use search below
(searches all categories and all time range)
Title:

Sporadic StackOverflowError involving coldfusion.security.BasicPolicy since CF2016HF12

| View in Tracker

Status/Resolution/Reason: To Track//PRNeedInfo

Reporter/Name(from Bugbase): Markus W. / ()

Created: 11/07/2019

Components: Security, Sandbox

Versions: 2016

Failure Type: Others

Found In Build/Fixed In Build: 2016,0,12,315717 /

Priority/Frequency: Normal / Unknown

Locale/System: English / Win 2012 Server x64

Vote Count: 0

Problem Description:

Since CF2016HF12 we sometimes get StackOverflowError exceptions on different pages.

Steps to Reproduce:

Currently we were not able to manually trigger this error. It occurs "randomly" between every few days and several times a day on different pages and when it occurs, it's only affecting this (or those) page(s) while other pages still work. 

Actual Result:

In this case it happened when trying to open the ColdFusion Administrator:

"Error","http-nio-8500-exec-5","11/07/19","12:50:32",,"'' The specific sequence of files included or processed is: C:\ColdFusion2016\cfusion\wwwroot\CFIDE\administrator\index.cfm'' "
java.lang.StackOverflowError
	at java.security.AccessController.doPrivileged(Native Method)
	at java.io.FilePermission.init(FilePermission.java:212)
	at java.io.FilePermission.<init>(FilePermission.java:299)
	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
	at java.io.File.isDirectory(File.java:844)
	at java.io.File.toURL(File.java:686)
	at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155)
	at java.security.AccessController.doPrivileged(Native Method)
	at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151)
	at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109)
	at java.security.Policy.getPermissions(Policy.java:668)
	at java.security.Policy.implies(Policy.java:721)
	at java.security.ProtectionDomain.implies(ProtectionDomain.java:279)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450)
	at java.security.AccessController.checkPermission(AccessController.java:886)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
	at java.lang.System.getProperty(System.java:717)
	at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:134)
	at coldfusion.util.SoftCache.get(SoftCache.java:81)
	at coldfusion.util.Utils.getCanonicalFile(Utils.java:353)
	at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149)
	at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109)
[the block below repeats 75 times to a total of 1024 "at …"]
	at java.security.Policy.getPermissions(Policy.java:668)
	at java.security.Policy.implies(Policy.java:721)
	at java.security.ProtectionDomain.implies(ProtectionDomain.java:279)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450)
	at java.security.AccessController.checkPermission(AccessController.java:886)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
	at java.lang.System.getProperty(System.java:717)
	at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:134)
	at coldfusion.util.SoftCache.get(SoftCache.java:81)
	at coldfusion.util.Utils.getCanonicalFile(Utils.java:353)
	at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149)
	at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109)

Here it happened during servlet initialization or something like that:

Nov 05, 2019 2:59:50 PM org.apache.catalina.core.StandardWrapperValve invoke
SCHWERWIEGEND: Servlet.service() for servlet [CfmServlet] in context with path [] threw exception [null] with root cause
java.lang.StackOverflowError
	at java.security.AccessController.doPrivileged(Native Method)
	at java.io.FilePermission.init(FilePermission.java:203)
	at java.io.FilePermission.<init>(FilePermission.java:277)
	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
	at java.io.File.isDirectory(File.java:844)
	at java.io.File.toURL(File.java:686)
	at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155)
	at java.security.AccessController.doPrivileged(Native Method)
	at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151)
	at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109)
[the lines below repeat 76 times]
	at java.security.Policy.getPermissions(Policy.java:668)
	at java.security.Policy.implies(Policy.java:721)
	at java.security.ProtectionDomain.implies(ProtectionDomain.java:279)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450)
	at java.security.AccessController.checkPermission(AccessController.java:886)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
	at java.lang.System.getProperty(System.java:717)
	at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:134)
	at coldfusion.util.SoftCache.get(SoftCache.java:81)
	at coldfusion.util.Utils.getCanonicalFile(Utils.java:353)
	at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149)
	at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109)

Expected Result:

Page loads without StackOverflowError. :-)

Any Workarounds:

Restart the ColdFusion Application Server. Once the error vanished after around 15 minutes. But usually the error persists on the affected pages until the server is restarted.

Attachments:

Comments:

Hi Markus, Please apply the attached hot fix to the CF 2016 server. Hot fix: hf201600-4205269.jar MD5: ae528a2362000addf88566e11854a94a   Steps to apply the patch: # Stop CF service # Place the downloaded hot fix inside <cf_install_root>/cfusion/lib/updates # Start CF service *NOTE:* This hot fix has to be applied on top of ColdFusion 2016 Update 2016. Please do let us know if it works for you. -Nimit
Comment by Nimit S.
31687 | November 07, 2019 01:26:06 PM GMT
Is this issue present in ColdFusion 2018 update 5 as well? We've noticed similar behavior that results in a memory leak for Java heap space which has many references to 'coldfusion.security.BasicPolicy'. The threads in where these leaks occur are also hanging on: at java.security.AccessController.doPrivileged(Native Method) Thanks
Comment by dakota c.
31688 | November 09, 2019 07:58:51 PM GMT
This issue is present in ColdFusion 2018 Update 5 and it exhibits the same behavior listed in the stack trace provided above by Markus. Below is an example of this occurring on a CF2018Update5 instance: "ajp-nio-8018-exec-7" runnable at java.io.WinNTFileSystem.getBooleanAttributes(Native Method) at java.io.File.isDirectory(File.java:850) at java.io.File.toURL(File.java:686) at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155) at java.security.AccessController.doPrivileged(Native Method) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.security.Policy.getPermissions(Policy.java:684) at java.security.Policy.implies(Policy.java:737) at java.security.ProtectionDomain.implies(ProtectionDomain.java:321) at java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:353) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:895) at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066) at java.lang.System.getProperty(System.java:810) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.security.Policy.getPermissions(Policy.java:684) at java.security.Policy.implies(Policy.java:737) at java.security.ProtectionDomain.implies(ProtectionDomain.java:321) at java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:353) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:895) at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066) at java.lang.System.getProperty(System.java:810) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.security.Policy.getPermissions(Policy.java:684) at java.security.Policy.implies(Policy.java:737) at java.security.ProtectionDomain.implies(ProtectionDomain.java:321) at java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:353) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:895) at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066) at java.lang.System.getProperty(System.java:810) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) This thread was captured while the issue was occurring and before the StackOverflow error occurred.
Comment by dakota c.
31801 | November 11, 2019 03:41:57 PM GMT
I applied the path on thursday last week and restarted the ColdFusion Service. lib\updates\ contains chf20160012.jar and hf201600-4205269.jar and ColdFusion Administrator shows Version 2016.0.12.315717 Update Level C:/ColdFusion2016/cfusion/lib/updates/hf201600-4205269.jar so I assume the patch applied correctly. But yesterday I got again multiple StackOverflowError. This is the first one with some more probably related context with the same timestamp: Nov 12, 2019 1:07:43 PM org.apache.catalina.core.StandardWrapperValve invoke SCHWERWIEGEND: Servlet.service() for servlet [CfmServlet] in context with path [] threw exception [null] with root cause java.lang.StackOverflowError at java.security.AccessController.doPrivileged(Native Method) at java.io.FilePermission.init(FilePermission.java:212) at java.io.FilePermission.<init>(FilePermission.java:299) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.File.isDirectory(File.java:844) at java.io.File.toURL(File.java:686) at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155) at java.security.AccessController.doPrivileged(Native Method) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) [the following 13 lines are repeating again] at java.security.Policy.getPermissions(Policy.java:668) at java.security.Policy.implies(Policy.java:721) at java.security.ProtectionDomain.implies(ProtectionDomain.java:279) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:886) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294) at java.lang.System.getProperty(System.java:717) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:134) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:353) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) Nov 12, 2019 1:07:43 PM org.apache.catalina.core.ApplicationDispatcher invoke SCHWERWIEGEND: Servlet.service() for servlet [jsp] threw exception java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:3048) at org.apache.catalina.connector.Request.getSession(Request.java:2481) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:216) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:205) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:894) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:231) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:615) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:560) at org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.java:137) at org.apache.jasper.runtime.JspFactoryImpl.internalGetPageContext(JspFactoryImpl.java:109) at org.apache.jasper.runtime.JspFactoryImpl.access$000(JspFactoryImpl.java:39) at org.apache.jasper.runtime.JspFactoryImpl$PrivilegedGetPageContext.run(JspFactoryImpl.java:153) at org.apache.jasper.runtime.JspFactoryImpl$PrivilegedGetPageContext.run(JspFactoryImpl.java:126) at java.security.AccessController.doPrivileged(Native Method) at org.apache.jasper.runtime.JspFactoryImpl.getPageContext(JspFactoryImpl.java:58) at org.apache.jsp.CFIDE.administrator.templates.errors_jsp._jspService(errors_jsp.java:100) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.GeneratedMethodAccessor74.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:591) at org.apache.catalina.core.ApplicationDispatcher.access$100(ApplicationDispatcher.java:63) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedInclude.run(ApplicationDispatcher.java:117) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedInclude.run(ApplicationDispatcher.java:105) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:518) at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:380) at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:323) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:166) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:356) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:507) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Nov 12, 2019 1:07:43 PM org.apache.catalina.core.StandardHostValve custom SCHWERWIEGEND: Exception Processing ErrorPage[exceptionType=java.lang.Exception, location=/CFIDE/administrator/templates/errors.jsp] org.apache.jasper.JasperException: javax.servlet.ServletException: java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:598) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:499) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.GeneratedMethodAccessor74.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:591) at org.apache.catalina.core.ApplicationDispatcher.access$100(ApplicationDispatcher.java:63) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedInclude.run(ApplicationDispatcher.java:117) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedInclude.run(ApplicationDispatcher.java:105) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:518) at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:380) at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:323) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:166) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:356) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:507) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: javax.servlet.ServletException: java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.jsp.CFIDE.administrator.templates.errors_jsp._jspService(errors_jsp.java:206) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476) ... 40 more Caused by: java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:3048) at org.apache.catalina.connector.Request.getSession(Request.java:2481) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:216) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:205) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:894) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:231) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:615) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:560) at org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.java:137) at org.apache.jasper.runtime.JspFactoryImpl.internalGetPageContext(JspFactoryImpl.java:109) at org.apache.jasper.runtime.JspFactoryImpl.access$000(JspFactoryImpl.java:39) at org.apache.jasper.runtime.JspFactoryImpl$PrivilegedGetPageContext.run(JspFactoryImpl.java:153) at org.apache.jasper.runtime.JspFactoryImpl$PrivilegedGetPageContext.run(JspFactoryImpl.java:126) at java.security.AccessController.doPrivileged(Native Method) at org.apache.jasper.runtime.JspFactoryImpl.getPageContext(JspFactoryImpl.java:58) at org.apache.jsp.CFIDE.administrator.templates.errors_jsp._jspService(errors_jsp.java:100) ... 43 more
Comment by Markus W.
31802 | November 13, 2019 10:41:12 AM GMT
Hi,   Can you please let me know a few things? # How much time before you started seeing the errors again after applying the patch? # I am assuming your environment is Sandboxed? # What kind of loads are you hitting to this sandboxed environment? # Is there any particular CFM which is being called a lot of times?   Thanks, Kailash
Comment by Kailash B.
31803 | November 14, 2019 11:06:20 AM GMT
> # How much time before you started seeing the errors again after applying the patch? About 5 days (including the weekend when probably no one accessed it). > # I am assuming your environment is Sandboxed? Yes, we have enabled Sandbox Security with a single sandbox for the whole "wwwroot" directory (plus the unmodified default ones for CFIDE and WEB-INF). > # What kind of loads are you hitting to this sandboxed environment? I tested it on an internal development machine, so there's frequent load from few users during office time but no really high load. I also get those errors every few days on my local development machine, which is rebooted daily, is only accessed by me (so very low load) and runs on Linux – but that's still without the patch! > # Is there any particular CFM which is being called a lot of times? There are some CFM which are called very often compared to others. But I've seen the error on those and also others which are called only a few times a day – and even the ColdFusion Administrator start page when it was called the first time after probably several days. I don't know where it occured in the log from Nov 12 – I didn't get an error report but found it only in the log file and there's no reference to one of "our" files in it.
Comment by Markus W.
31843 | November 15, 2019 11:52:13 AM GMT
This issue is still occurring in ColdFusion 2018 Update 6. Here is the error we experienced for reference: Caused by: java.lang.StackOverflowError at java.base/java.io.FilePermission.init(FilePermission.java:344) at java.base/java.io.FilePermission.<init>(FilePermission.java:477) at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:674) at java.base/java.io.File.isDirectory(File.java:845) at java.base/java.io.File.toURL(File.java:686) at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155) at java.base/java.security.AccessController.doPrivileged(Native Method) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) I updated ColdFusion case# 24430 regarding this issue and included the exception.log file from the server this issue is occurring on.
Comment by dakota c.
31887 | November 27, 2019 06:42:45 PM GMT