Article Number
000029476
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 6.x, 7.0.0
Issue
When importing a workflow into RSA Identity Governance & Lifecycle (
Admin >
Import/Export >
Workflow tab >
Import), the import appears to complete but the imported Workflow is not visible under
Requests >
Workflows > {
any tab}.
The following error is logged to the
aveksaServer.log file located in
$AVEKSA_HOME/wildfly/standalone/log/ for 7.0.0 and
$AVEKSA_HOME/jboss-4.2.2.GA/server/default/deploy/aveksa.ear/aveksa.war/log/ for 6.x:
01/16/2015 10:35:54.242 INFO (http-0.0.0.0-8443-4) [com.aveksa.server.workflow.WorkflowServiceProvider]
Importing workflow archive multPartReq50190.tmp....
01/16/2015 10:35:54.306 INFO (http-0.0.0.0-8443-4) [STDOUT] 2015-01-16 10:35:54,306 [http-0.0.0.0-8443-4]
ERROR com.workpoint.server.pojo.GenericServerBean - A potential SQL injection threat (sql keyword) has been detected at
position 16 of the Filter parameter and so the statement will not be executed. If this is a legitimate request please
restructure this input to eliminate the potential threat. Consider using parameterized queries and bind arrays.
The data in question is: "NAME = 'Create accounts groups'".
01/16/2015 10:35:54.337 ERROR (http-0.0.0.0-8443-4) [com.aveksa.server.workflow.WorkflowServiceProvider]
method=start subTask=Error importing the file /tmp/multPartReq50190.tmp
com.workpoint.server.ejb.WorkPointEJBException: An SQL Exception has occurred. Please see the server logs for details.
at com.workpoint.server.pojo.GenericServerBean.createException(Unknown Source)
at com.workpoint.server.pojo.GenericServerBean.createException(Unknown Source)
at com.workpoint.server.pojo.ProcessPvtBean.queryList(Unknown Source)
at sun.reflect.GeneratedMethodAccessor137.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
The segment shown below found in the above aveksaServer.log example may be different:
The data in question is: "NAME = 'Create accounts groups'"
Please refer to RSA Knowledge Base Article
000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the
aveksaServer.log file for your specific deployment if you are on a WildFly/JBoss cluster or a non-WildFly/JBoss platform. The
aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (
Admin >
System >
Server Nodes tab > under
Logs.)
Cause
This is a known issue reported in engineering ticket ACM-52120.
The workflow engine is rejecting the import because it is interprets the following string values:
as malicious SQL injections.
For example, in the referenced stack trace there is the following line:
01/16/2015 10:35:54.306 INFO (http-0.0.0.0-8443-4) [STDOUT] 2015-01-16 10:35:54,306 [http-0.0.0.0-8443-4]
ERROR com.workpoint.server.pojo.GenericServerBean - A potential SQL injection threat (sql keyword) has been detected at
position 16 of the Filter parameter and so the statement will not be executed. If this is a legitimate request please
restructure this input to eliminate the potential threat.
Consider using parameterized queries and bind arrays.
The data in question is: "NAME = 'Create accounts groups'".
In this line the
"NAME = 'Create accounts groups'" segment is referencing the name of the imported workflow. The name contains the word
Create and several single quotes. The Workpoint SQL parser interprets the word
Create as a possible malicious SQL injection and rejects the import as a safety measure.
Resolution
This issue is resolved in the following RSA Identity Governance & Lifecycle patches:
- RSA Identity Governance & Lifecycle 6.8.1 P24
- RSA Identity Governance & Lifecycle 6.9.1 P14
- RSA Identity Governance & Lifecycle 7.0.0 P03
Workaround
Avoid using any SQL keywords or terms in object names.
Examples to avoid:
Should you encounter this error, rename the object referenced in the error stack so that it does not include a SQL keyword, and export/import the workflow again.