0 Replies Latest reply on Jul 25, 2006 8:17 AM by Faeem Ali

    Postgres 8.1.4 and CMP Error: CVE-2006-2313

    Faeem Ali Newbie

      Hi,

      I've developed an application with JBoss AS 4.0.4 and CMP Entity Beans, and Postgres 8.1.0 as the datasource. This works well. Postgres recently released version 8.1.4 as a security update, documented in CVE-2006-2313 and CVE-2006-2314, which covers invalidly escaped UTF-8 data. We've since upgraded to Postgres 8.1.4 as a security measure.

      Since then, I've started picking up errors in queries generated by the JBOSS CMP engine under certain conditions, and all related to "Text" fields in the database. Enabling debug support in JBoss shows that the query itself is being generated correctly, an example of which is shown below:

      UPDATE scheduler SET status=?, response=? WHERE sched_id=?

      where status is a java.lang.Integer, and response and sched_id are java.lang.String's. However the query submitted to the database yields numerous exceptions stemming from a UTF-8 problem. I've included a stack trace at the end of this message. Data being inserted into this database is definately 7-bit ASCII data, which maps directly onto UTF-8 without any problems. My datasource has been explicitly configured to use the UTF-8 encoding, and I'm using the latest JDBC driver.

      I'm not sure exactly what the problem is, or where the problem lies, and I was hoping someone would be able to help out. I suspect that JBossAS is generating a string query that the new Postgres 8.1.4 is not happy with. If so, is there any way to alter the generated code. If not, then any and all other help/suggestions will be appreciated.

      Thanks

      fali

      Documentation for the Postgres problem may be found at:

      http://www.postgresql.org/docs/techdocs.50

      The stack trace is:

      3:23:26,420 DEBUG [SchedulerE] Executing SQL: UPDATE scheduler SET status=?, response=? WHERE sched_id=?
      13:23:26,439 ERROR [LogInterceptor] TransactionRolledbackException in method: public abstract void beans.schedulerebean.interfaces.SchedulerE.saveResponse(java.util.Collection) throws java.rmi.RemoteException, causedBy:
      13:23:26,446 DEBUG [NestedThrowable] org.jboss.util.NestedThrowable.parentTraceEnabled=true
      13:23:26,448 DEBUG [NestedThrowable] org.jboss.util.NestedThrowable.nestedTraceEnabled=false
      13:23:26,448 DEBUG [NestedThrowable] org.jboss.util.NestedThrowable.detectDuplicateNesting=true
      org.jboss.tm.JBossRollbackException: Unable to commit, tx=TransactionImpl:XidImpl[FormatId=257, GlobalId=faximt1.elabco.co.za/189, BranchQual=, localId=189] status=STATUS_NO_TRANSACTION; - nested throwable: (javax.ejb.EJBException: Store failed)
      at org.jboss.tm.TransactionImpl.commit(TransactionImpl.java:372)
      at org.jboss.ejb.plugins.TxInterceptorCMT.endTransaction(TxInterceptorCMT.java:501)
      at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:361)
      at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:181)
      at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
      at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:136)
      at org.jboss.ejb.EntityContainer.internalInvoke(EntityContainer.java:520)
      at org.jboss.ejb.Container.invoke(Container.java:954)
      at sun.reflect.GeneratedMethodAccessor118.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
      at org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:819)
      at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:420)
      at sun.reflect.GeneratedMethodAccessor123.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
      at sun.rmi.transport.Transport$1.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.rmi.transport.Transport.serviceCall(Unknown Source)
      at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
      at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
      Caused by: javax.ejb.EJBException: Store failed
      at org.jboss.ejb.plugins.cmp.jdbc.JDBCStoreEntityCommand.execute(JDBCStoreEntityCommand.java:158)
      at org.jboss.ejb.plugins.cmp.jdbc.JDBCStoreManager.storeEntity(JDBCStoreManager.java:666)
      at org.jboss.ejb.plugins.CMPPersistenceManager.storeEntity(CMPPersistenceManager.java:428)
      at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.storeEntity(CachedConnectionInterceptor.java:273)
      at org.jboss.ejb.EntityContainer.storeEntity(EntityContainer.java:749)
      at org.jboss.ejb.GlobalTxEntityMap$2.synchronize(GlobalTxEntityMap.java:149)
      at org.jboss.ejb.GlobalTxEntityMap$GlobalTxSynchronization.synchronize(GlobalTxEntityMap.java:295)
      at org.jboss.ejb.GlobalTxEntityMap$GlobalTxSynchronization.beforeCompletion(GlobalTxEntityMap.java:345)
      at org.jboss.tm.TransactionImpl.doBeforeCompletion(TransactionImpl.java:1491)
      at org.jboss.tm.TransactionImpl.beforePrepare(TransactionImpl.java:1110)
      at org.jboss.tm.TransactionImpl.commit(TransactionImpl.java:324)
      ... 28 more
      Caused by: org.postgresql.util.PSQLException: ERROR: invalid byte sequence for encoding "UTF8": 0x00
      at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:1525)
      at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1309)
      at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:188)
      at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:452)
      at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:354)
      at org.postgresql.jdbc2.AbstractJdbc2Statement.executeUpdate(AbstractJdbc2Statement.java:308)
      at org.jboss.resource.adapter.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:251)
      at org.jboss.ejb.plugins.cmp.jdbc.JDBCStoreEntityCommand.execute(JDBCStoreEntityCommand.java:150)
      ... 38 more


      [/url]