• Introducing Dark Mode! Switch by clicking on the lightbulb icon next to Search or by clicking on Default style at the bottom left of the page!

Data Browser blocked when optimized by Riverbed

Has anyone run into Data Browser or any other part of JDE blocking or invalidating a user session because of the tag Riverbeds place in the HTML? Working with a customer that claims based on the JDE and F5 logs that the Riverbed X-RBT-Optimized-By tag that is inserted into the HTTP header by default of any session they optimize is preventing users from access the Data Browser application in JDE.

[SEVERE][HTML88_PD920_8150][RUNTIME]***Security Alert***
Malicious script attack has been detected. The user session will be invalidated.
The parameter Name is:e1.service. The scripts are:ResourceCanonicalsJS"></script><script type="text/javascript" language="JavaScript" src="/jde/share/js/e1.js"></script><script>_e1URLFactory = new E1URLFactory('Servlet','/jde/','/jde/URLBuilderService.mafService?e1UserActInfo=false

I'm trying to find out if this is simply due to a configuration setting in JDE or the F5. I see plenty of blogs talking about optimizing JDE via Riverbed and other products and none talk about needing to do anything special. Any advice available would be appreciated.
 

Alex_Pastuhov

Legendary Poster
Incidentally, I just recently came across JDE components that look through the comms for any malicious stuff, which I found interesting. The same components do additional processing, so disabling it may cause other issues, but I believe they can be disabled.

But no, I do not believe there are any such settings available to toggle this, so it's not a config issue. And disabling these components would probably not be a solution supported by Oracle.

And I suspect there may be more to it than just this one header, because it does not appear to be looking for it specifically. Although admittedly it's not clear what it is exactly it's looking for, so who can say. This could actually be a case of something injecting something malicious into the comms. It's probably worth looking into this deeper.

To get a clean supported solution, you can try logging this with Oracle and see what they can do on their side...
 

TFZ

Active Member
I just opened a ticket for a client as I'm seeing it everywhere. Oracle's not being very helpful as of yet and pointing to the same old doc id for the original "bad char" pasting. That said, I'm about 90% sure its load balancer related and some users reported it happening on log on. I have figured out how to recreate it with about 30% success. Let a session timeout, and just try and log back in and it kicks back to login screen and throws the malicious script detected in the log. Im assuming its because the session cookie times out and they "switch" servers, and whatever is injected in the tag is now bad.

I also had a user report that it happened creating a new grid format in IE 11, but I haven't been able to replicate that one at all.
 

Rob Woods

Member
I am seeing the same items in my logs, but have not had any reports of errors or issues.
We are not using any kind of load balancer, or even using databrowser. Way too many errors for the users to be using data browser.

I have had a user complain about being unable to make a grid width change. I will have to try to see what happens after a timeout.
 

rmkjde

Member
TFZ - thanks for the details, I know I've read this thread a few times in the last couple months!

I have replicated the situation where logging back into E1 9.2 (9.2.2.6) session that has timed out using IE 11 does create the Malicious Script Attack warnings.
Once we went to 9.2 we were also seeing these Malicious Script "warnings" and have done hours of research, testing, table cleanup with Media Objects, testing......time consuming.
Our managed service/hosting provider also put in an SR and has gotten the typical responses as others have also this thread. I will document on our SR and with our MS/HP.

Informational details:
Our sessions were going direct to an IP JAS server (instructing user departments which link to use) and began seeing issues.
We switched to a load balancer and this increased the issue! Plus when on load balancer we were getting users logged into multiple JAS sessions, however, users did not have an initial browser session because of the Invalid State error while user was actually actively working in E1. We switched back to straight IP link and the duplicate sessions have gone away (except for user error), but the Malicious Script "warning" is still happening.

Thanks all for the input and details.
 
Last edited:

rmkjde

Member
Here's the bug number, but you'll have to get a POC if not on 9.2.4.5
Bug 31300510 : MALICIOUS SCRIPT ATTACK HAS BEEN DETECTED
 
Top