Data Browser blocked when optimized by Riverbed

jameshelmly

Member
Has anyone run into Data Browser or any other part of JDE blocking or invalidating a user session because of the tag Riverbeds place in the HTML? Working with a customer that claims based on the JDE and F5 logs that the Riverbed X-RBT-Optimized-By tag that is inserted into the HTTP header by default of any session they optimize is preventing users from access the Data Browser application in JDE.

[SEVERE][HTML88_PD920_8150][RUNTIME]***Security Alert***
Malicious script attack has been detected. The user session will be invalidated.
The parameter Name is:e1.service. The scripts are:ResourceCanonicalsJS"></script><script type="text/javascript" language="JavaScript" src="/jde/share/js/e1.js"></script><script>_e1URLFactory = new E1URLFactory('Servlet','/jde/','/jde/URLBuilderService.mafService?e1UserActInfo=false

I'm trying to find out if this is simply due to a configuration setting in JDE or the F5. I see plenty of blogs talking about optimizing JDE via Riverbed and other products and none talk about needing to do anything special. Any advice available would be appreciated.
 
Incidentally, I just recently came across JDE components that look through the comms for any malicious stuff, which I found interesting. The same components do additional processing, so disabling it may cause other issues, but I believe they can be disabled.

But no, I do not believe there are any such settings available to toggle this, so it's not a config issue. And disabling these components would probably not be a solution supported by Oracle.

And I suspect there may be more to it than just this one header, because it does not appear to be looking for it specifically. Although admittedly it's not clear what it is exactly it's looking for, so who can say. This could actually be a case of something injecting something malicious into the comms. It's probably worth looking into this deeper.

To get a clean supported solution, you can try logging this with Oracle and see what they can do on their side...
 
I just opened a ticket for a client as I'm seeing it everywhere. Oracle's not being very helpful as of yet and pointing to the same old doc id for the original "bad char" pasting. That said, I'm about 90% sure its load balancer related and some users reported it happening on log on. I have figured out how to recreate it with about 30% success. Let a session timeout, and just try and log back in and it kicks back to login screen and throws the malicious script detected in the log. Im assuming its because the session cookie times out and they "switch" servers, and whatever is injected in the tag is now bad.

I also had a user report that it happened creating a new grid format in IE 11, but I haven't been able to replicate that one at all.
 
If Oracle isn't being helpful, is there any hope that this will get fixed any time soon?
 
I am seeing the same items in my logs, but have not had any reports of errors or issues.
We are not using any kind of load balancer, or even using databrowser. Way too many errors for the users to be using data browser.

I have had a user complain about being unable to make a grid width change. I will have to try to see what happens after a timeout.
 
TFZ - thanks for the details, I know I've read this thread a few times in the last couple months!

I have replicated the situation where logging back into E1 9.2 (9.2.2.6) session that has timed out using IE 11 does create the Malicious Script Attack warnings.
Once we went to 9.2 we were also seeing these Malicious Script "warnings" and have done hours of research, testing, table cleanup with Media Objects, testing......time consuming.
Our managed service/hosting provider also put in an SR and has gotten the typical responses as others have also this thread. I will document on our SR and with our MS/HP.

Informational details:
Our sessions were going direct to an IP JAS server (instructing user departments which link to use) and began seeing issues.
We switched to a load balancer and this increased the issue! Plus when on load balancer we were getting users logged into multiple JAS sessions, however, users did not have an initial browser session because of the Invalid State error while user was actually actively working in E1. We switched back to straight IP link and the duplicate sessions have gone away (except for user error), but the Malicious Script "warning" is still happening.

Thanks all for the input and details.
 
Last edited:
Here's the bug number, but you'll have to get a POC if not on 9.2.4.5
Bug 31300510 : MALICIOUS SCRIPT ATTACK HAS BEEN DETECTED
 
Back
Top