000029476 - A Workflow Import fails due to 'A potential SQL injection threat (sql keyword) has been detected' error in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jun 18, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029476
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle 
RSA Version/Condition: 6.x, 7.0.0
 
IssueWhen importing a workflow into RSA Identity Governance & Lifecycle (Admin > Import/Export > Workflow tab > Import), the import appears to complete but the imported Workflow is not visible under Requests > Workflows > {any tab}.

The following error is logged to the aveksaServer.log file located in $AVEKSA_HOME/wildfly/standalone/log/ for 7.0.0 and $AVEKSA_HOME/jboss-4.2.2.GA/server/default/deploy/aveksa.ear/aveksa.war/log/ for 6.x:
 

01/16/2015 10:35:54.242 INFO (http-0.0.0.0-8443-4) [com.aveksa.server.workflow.WorkflowServiceProvider]
Importing workflow archive multPartReq50190.tmp....
01/16/2015 10:35:54.306 INFO (http-0.0.0.0-8443-4) [STDOUT] 2015-01-16 10:35:54,306 [http-0.0.0.0-8443-4]
ERROR com.workpoint.server.pojo.GenericServerBean - A potential SQL injection threat (sql keyword) has been detected at
position 16 of the Filter parameter and so the statement will not be executed. If this is a legitimate request please
restructure this input to eliminate the potential threat. Consider using parameterized queries and bind arrays.

The data in question is: "NAME = 'Create accounts groups'".
01/16/2015 10:35:54.337 ERROR (http-0.0.0.0-8443-4) [com.aveksa.server.workflow.WorkflowServiceProvider]
method=start subTask=Error importing the file /tmp/multPartReq50190.tmp
com.workpoint.server.ejb.WorkPointEJBException: An SQL Exception has occurred. Please see the server logs for details.

at com.workpoint.server.pojo.GenericServerBean.createException(Unknown Source)
at com.workpoint.server.pojo.GenericServerBean.createException(Unknown Source)
at com.workpoint.server.pojo.ProcessPvtBean.queryList(Unknown Source)
at sun.reflect.GeneratedMethodAccessor137.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)

The segment shown below found in the above aveksaServer.log example may be different:


The data in question is: "NAME = 'Create accounts groups'"


Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment if you are on a WildFly/JBoss cluster or a non-WildFly/JBoss platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
 
CauseThis is a known issue reported in engineering ticket ACM-52120.

The workflow engine is rejecting the import because it is interprets the following string values:
  • Select
  • Drop
  • Create
  • Execute
as malicious SQL injections.

For example, in the referenced stack trace there is the following line:

01/16/2015 10:35:54.306 INFO (http-0.0.0.0-8443-4) [STDOUT] 2015-01-16 10:35:54,306 [http-0.0.0.0-8443-4]
ERROR com.workpoint.server.pojo.GenericServerBean - A potential SQL injection threat (sql keyword) has been detected at
position 16 of the Filter parameter and so the statement will not be executed. If this is a legitimate request please
restructure this input to eliminate the potential threat.
Consider using parameterized queries and bind arrays.
The data in question is: "NAME = 'Create accounts groups'".


In this line the "NAME = 'Create accounts groups'" segment is referencing the name of the imported workflow. The name contains the word Create and several single quotes. The Workpoint SQL parser interprets the word Create as a possible malicious SQL injection and rejects the import as a safety measure.
 
ResolutionThis issue is resolved in the following RSA Identity Governance & Lifecycle patches:
  • RSA Identity Governance & Lifecycle 6.8.1 P24
  • RSA Identity Governance & Lifecycle 6.9.1 P14
  • RSA Identity Governance & Lifecycle 7.0.0 P03
WorkaroundAvoid using any SQL keywords or terms in object names.

Examples to avoid:
  • Select
  • Drop
  • Create
  • Execute
Should you encounter this error, rename the object referenced in the error stack so that it does not include a SQL keyword, and export/import the workflow again.
 

Attachments

    Outcomes