tracker issue : CF-4205821

select a category, or use search below
(searches all categories and all time range)
Title:

Sporadic StackOverflowError involving coldfusion.security.BasicPolicy since CF2016HF12

| View in Tracker

Status/Resolution/Reason: To Track//PRNeedInfo

Reporter/Name(from Bugbase): Markus W. / ()

Created: 11/07/2019

Components: Security, Sandbox

Versions: 2016

Failure Type: Others

Found In Build/Fixed In Build: 2016,0,12,315717 /

Priority/Frequency: Normal / Unknown

Locale/System: English / Win 2012 Server x64

Vote Count: 2

Problem Description:

Since CF2016HF12 we sometimes get StackOverflowError exceptions on different pages.

Steps to Reproduce:

Currently we were not able to manually trigger this error. It occurs "randomly" between every few days and several times a day on different pages and when it occurs, it's only affecting this (or those) page(s) while other pages still work. 

Actual Result:

In this case it happened when trying to open the ColdFusion Administrator:

"Error","http-nio-8500-exec-5","11/07/19","12:50:32",,"'' The specific sequence of files included or processed is: C:\ColdFusion2016\cfusion\wwwroot\CFIDE\administrator\index.cfm'' "
java.lang.StackOverflowError
	at java.security.AccessController.doPrivileged(Native Method)
	at java.io.FilePermission.init(FilePermission.java:212)
	at java.io.FilePermission.<init>(FilePermission.java:299)
	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
	at java.io.File.isDirectory(File.java:844)
	at java.io.File.toURL(File.java:686)
	at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155)
	at java.security.AccessController.doPrivileged(Native Method)
	at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151)
	at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109)
	at java.security.Policy.getPermissions(Policy.java:668)
	at java.security.Policy.implies(Policy.java:721)
	at java.security.ProtectionDomain.implies(ProtectionDomain.java:279)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450)
	at java.security.AccessController.checkPermission(AccessController.java:886)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
	at java.lang.System.getProperty(System.java:717)
	at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:134)
	at coldfusion.util.SoftCache.get(SoftCache.java:81)
	at coldfusion.util.Utils.getCanonicalFile(Utils.java:353)
	at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149)
	at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109)
[the block below repeats 75 times to a total of 1024 "at …"]
	at java.security.Policy.getPermissions(Policy.java:668)
	at java.security.Policy.implies(Policy.java:721)
	at java.security.ProtectionDomain.implies(ProtectionDomain.java:279)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450)
	at java.security.AccessController.checkPermission(AccessController.java:886)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
	at java.lang.System.getProperty(System.java:717)
	at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:134)
	at coldfusion.util.SoftCache.get(SoftCache.java:81)
	at coldfusion.util.Utils.getCanonicalFile(Utils.java:353)
	at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149)
	at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109)

Here it happened during servlet initialization or something like that:

Nov 05, 2019 2:59:50 PM org.apache.catalina.core.StandardWrapperValve invoke
SCHWERWIEGEND: Servlet.service() for servlet [CfmServlet] in context with path [] threw exception [null] with root cause
java.lang.StackOverflowError
	at java.security.AccessController.doPrivileged(Native Method)
	at java.io.FilePermission.init(FilePermission.java:203)
	at java.io.FilePermission.<init>(FilePermission.java:277)
	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
	at java.io.File.isDirectory(File.java:844)
	at java.io.File.toURL(File.java:686)
	at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155)
	at java.security.AccessController.doPrivileged(Native Method)
	at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151)
	at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109)
[the lines below repeat 76 times]
	at java.security.Policy.getPermissions(Policy.java:668)
	at java.security.Policy.implies(Policy.java:721)
	at java.security.ProtectionDomain.implies(ProtectionDomain.java:279)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450)
	at java.security.AccessController.checkPermission(AccessController.java:886)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
	at java.lang.System.getProperty(System.java:717)
	at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:134)
	at coldfusion.util.SoftCache.get(SoftCache.java:81)
	at coldfusion.util.Utils.getCanonicalFile(Utils.java:353)
	at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149)
	at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109)

Expected Result:

Page loads without StackOverflowError. :-)

Any Workarounds:

Restart the ColdFusion Application Server. Once the error vanished after around 15 minutes. But usually the error persists on the affected pages until the server is restarted.

Attachments:

Comments:

Hi Markus, Please apply the attached hot fix to the CF 2016 server. Hot fix: hf201600-4205269.jar MD5: ae528a2362000addf88566e11854a94a   Steps to apply the patch: # Stop CF service # Place the downloaded hot fix inside <cf_install_root>/cfusion/lib/updates # Start CF service *NOTE:* This hot fix has to be applied on top of ColdFusion 2016 Update 2016. Please do let us know if it works for you. -Nimit
Comment by Nimit S.
31687 | November 07, 2019 01:26:06 PM GMT
Is this issue present in ColdFusion 2018 update 5 as well? We've noticed similar behavior that results in a memory leak for Java heap space which has many references to 'coldfusion.security.BasicPolicy'. The threads in where these leaks occur are also hanging on: at java.security.AccessController.doPrivileged(Native Method) Thanks
Comment by dakota c.
31688 | November 09, 2019 07:58:51 PM GMT
This issue is present in ColdFusion 2018 Update 5 and it exhibits the same behavior listed in the stack trace provided above by Markus. Below is an example of this occurring on a CF2018Update5 instance: "ajp-nio-8018-exec-7" runnable at java.io.WinNTFileSystem.getBooleanAttributes(Native Method) at java.io.File.isDirectory(File.java:850) at java.io.File.toURL(File.java:686) at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155) at java.security.AccessController.doPrivileged(Native Method) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.security.Policy.getPermissions(Policy.java:684) at java.security.Policy.implies(Policy.java:737) at java.security.ProtectionDomain.implies(ProtectionDomain.java:321) at java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:353) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:895) at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066) at java.lang.System.getProperty(System.java:810) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.security.Policy.getPermissions(Policy.java:684) at java.security.Policy.implies(Policy.java:737) at java.security.ProtectionDomain.implies(ProtectionDomain.java:321) at java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:353) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:895) at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066) at java.lang.System.getProperty(System.java:810) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.security.Policy.getPermissions(Policy.java:684) at java.security.Policy.implies(Policy.java:737) at java.security.ProtectionDomain.implies(ProtectionDomain.java:321) at java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:353) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:895) at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066) at java.lang.System.getProperty(System.java:810) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) This thread was captured while the issue was occurring and before the StackOverflow error occurred.
Comment by dakota c.
31801 | November 11, 2019 03:41:57 PM GMT
I applied the path on thursday last week and restarted the ColdFusion Service. lib\updates\ contains chf20160012.jar and hf201600-4205269.jar and ColdFusion Administrator shows Version 2016.0.12.315717 Update Level C:/ColdFusion2016/cfusion/lib/updates/hf201600-4205269.jar so I assume the patch applied correctly. But yesterday I got again multiple StackOverflowError. This is the first one with some more probably related context with the same timestamp: Nov 12, 2019 1:07:43 PM org.apache.catalina.core.StandardWrapperValve invoke SCHWERWIEGEND: Servlet.service() for servlet [CfmServlet] in context with path [] threw exception [null] with root cause java.lang.StackOverflowError at java.security.AccessController.doPrivileged(Native Method) at java.io.FilePermission.init(FilePermission.java:212) at java.io.FilePermission.<init>(FilePermission.java:299) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.File.isDirectory(File.java:844) at java.io.File.toURL(File.java:686) at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155) at java.security.AccessController.doPrivileged(Native Method) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) [the following 13 lines are repeating again] at java.security.Policy.getPermissions(Policy.java:668) at java.security.Policy.implies(Policy.java:721) at java.security.ProtectionDomain.implies(ProtectionDomain.java:279) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:886) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294) at java.lang.System.getProperty(System.java:717) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:134) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:353) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) Nov 12, 2019 1:07:43 PM org.apache.catalina.core.ApplicationDispatcher invoke SCHWERWIEGEND: Servlet.service() for servlet [jsp] threw exception java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:3048) at org.apache.catalina.connector.Request.getSession(Request.java:2481) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:216) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:205) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:894) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:231) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:615) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:560) at org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.java:137) at org.apache.jasper.runtime.JspFactoryImpl.internalGetPageContext(JspFactoryImpl.java:109) at org.apache.jasper.runtime.JspFactoryImpl.access$000(JspFactoryImpl.java:39) at org.apache.jasper.runtime.JspFactoryImpl$PrivilegedGetPageContext.run(JspFactoryImpl.java:153) at org.apache.jasper.runtime.JspFactoryImpl$PrivilegedGetPageContext.run(JspFactoryImpl.java:126) at java.security.AccessController.doPrivileged(Native Method) at org.apache.jasper.runtime.JspFactoryImpl.getPageContext(JspFactoryImpl.java:58) at org.apache.jsp.CFIDE.administrator.templates.errors_jsp._jspService(errors_jsp.java:100) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.GeneratedMethodAccessor74.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:591) at org.apache.catalina.core.ApplicationDispatcher.access$100(ApplicationDispatcher.java:63) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedInclude.run(ApplicationDispatcher.java:117) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedInclude.run(ApplicationDispatcher.java:105) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:518) at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:380) at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:323) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:166) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:356) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:507) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Nov 12, 2019 1:07:43 PM org.apache.catalina.core.StandardHostValve custom SCHWERWIEGEND: Exception Processing ErrorPage[exceptionType=java.lang.Exception, location=/CFIDE/administrator/templates/errors.jsp] org.apache.jasper.JasperException: javax.servlet.ServletException: java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:598) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:499) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.GeneratedMethodAccessor74.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:591) at org.apache.catalina.core.ApplicationDispatcher.access$100(ApplicationDispatcher.java:63) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedInclude.run(ApplicationDispatcher.java:117) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedInclude.run(ApplicationDispatcher.java:105) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:518) at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:380) at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:323) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:166) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:356) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:507) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: javax.servlet.ServletException: java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.jsp.CFIDE.administrator.templates.errors_jsp._jspService(errors_jsp.java:206) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476) ... 40 more Caused by: java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:3048) at org.apache.catalina.connector.Request.getSession(Request.java:2481) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:216) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:205) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:894) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:231) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:615) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:560) at org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.java:137) at org.apache.jasper.runtime.JspFactoryImpl.internalGetPageContext(JspFactoryImpl.java:109) at org.apache.jasper.runtime.JspFactoryImpl.access$000(JspFactoryImpl.java:39) at org.apache.jasper.runtime.JspFactoryImpl$PrivilegedGetPageContext.run(JspFactoryImpl.java:153) at org.apache.jasper.runtime.JspFactoryImpl$PrivilegedGetPageContext.run(JspFactoryImpl.java:126) at java.security.AccessController.doPrivileged(Native Method) at org.apache.jasper.runtime.JspFactoryImpl.getPageContext(JspFactoryImpl.java:58) at org.apache.jsp.CFIDE.administrator.templates.errors_jsp._jspService(errors_jsp.java:100) ... 43 more
Comment by Markus W.
31802 | November 13, 2019 10:41:12 AM GMT
Hi,   Can you please let me know a few things? # How much time before you started seeing the errors again after applying the patch? # I am assuming your environment is Sandboxed? # What kind of loads are you hitting to this sandboxed environment? # Is there any particular CFM which is being called a lot of times?   Thanks, Kailash
Comment by Kailash B.
31803 | November 14, 2019 11:06:20 AM GMT
> # How much time before you started seeing the errors again after applying the patch? About 5 days (including the weekend when probably no one accessed it). > # I am assuming your environment is Sandboxed? Yes, we have enabled Sandbox Security with a single sandbox for the whole "wwwroot" directory (plus the unmodified default ones for CFIDE and WEB-INF). > # What kind of loads are you hitting to this sandboxed environment? I tested it on an internal development machine, so there's frequent load from few users during office time but no really high load. I also get those errors every few days on my local development machine, which is rebooted daily, is only accessed by me (so very low load) and runs on Linux – but that's still without the patch! > # Is there any particular CFM which is being called a lot of times? There are some CFM which are called very often compared to others. But I've seen the error on those and also others which are called only a few times a day – and even the ColdFusion Administrator start page when it was called the first time after probably several days. I don't know where it occured in the log from Nov 12 – I didn't get an error report but found it only in the log file and there's no reference to one of "our" files in it.
Comment by Markus W.
31843 | November 15, 2019 11:52:13 AM GMT
This issue is still occurring in ColdFusion 2018 Update 6. Here is the error we experienced for reference: Caused by: java.lang.StackOverflowError at java.base/java.io.FilePermission.init(FilePermission.java:344) at java.base/java.io.FilePermission.<init>(FilePermission.java:477) at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:674) at java.base/java.io.File.isDirectory(File.java:845) at java.base/java.io.File.toURL(File.java:686) at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155) at java.base/java.security.AccessController.doPrivileged(Native Method) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) I updated ColdFusion case# 24430 regarding this issue and included the exception.log file from the server this issue is occurring on.
Comment by dakota c.
31887 | November 27, 2019 06:42:45 PM GMT
Experiencing the same error behavior as Markus W. and dakota c. on multiple servers with Sandbox Security enabled, Win2016, CF2016u13, Java 11.0.4 & 8.0.231
Vote by Chris D.
32047 | January 15, 2020 07:45:41 PM GMT
Working on updating our servers to CF2018 but won't be able to move into production if this issue exists. Please update us on the status of this issue.
Vote by Miguel F.
32048 | January 16, 2020 01:45:29 PM GMT
We've been seeing this issue Since Update 5/Update12. The jar file fix did not resolve it nor did Update 6. Turning off Sandbox Security was our only recourse which is unacceptable. Emails to Adobe support were met with total silence.
Comment by Ken W.
32043 | January 16, 2020 03:48:14 PM GMT
Hello Guys, We have tried reproducing this issue at our end but unable to do so. I will really appreciate if you guys can share set of steps that we can follow to repro it at our end.  You can feel free to share more information @ [nimsharm@adobe.com|mailto:nimsharm@adobe.com] so that we can further investigate this issue. -Nimit
Comment by Nimit S.
32044 | January 16, 2020 03:59:50 PM GMT
Unfortunately, we can't reproduce it on-demand.
Comment by Ken W.
32045 | January 16, 2020 04:07:29 PM GMT
We can't reproduce it on demand either. These stack overflow errors started after applying Update 12 in October and has gotten much worse in the last six weeks since installing Update 13. Our CF2016 Update 13 servers are locked down per the CF lockdown guide. Windows Server 2016 fully patched. Have tried running Java 11.0.2 and 11.0.4 & currently on 8.0.231 Sandbox security is enabled. Multiple defined directories for various applications with the two default directory permissions (untouched) for "ColdFusion CFIDE system directory" and "ColdFusion WEB-INF system directory". I opened a case, 27296, with an excerpt from the coldfusion-error.log that shows after a restart even the default CF script to check for CF updates (http://127.0.0.1:8555/CFIDE/administrator/updates/task/checkupdates.cfm) will generate a stack overflow error.
Comment by Chris D.
32046 | January 16, 2020 05:06:00 PM GMT