Troubleshooting
Problem
Users of Chromium-based browsers might find that they cannot log in to IBM Resilient while non-Chromium browsers can, when IBM Resilient is at a version earlier than v37.2.
Symptom
Affected Chromium-based browsers show the following generic error message, "An error occurred. For additional support, contact your system administrator."
Looking in /usr/share/co3/logs/client.log a stack trace such as this can be seen at the time the user attempts to log in.
08:56:55.210 [http-nio-443-exec-921] ERROR com.co3.web.servlet.Co3ServletFilterBase - Error processing request GET:/rest/session org.owasp.esapi.errors.IntrusionException: Input validation failure at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:181) at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:122) at com.co3.util.esapi.ResilientStringValidationRule.getValid(ResilientStringValidationRule.java:111) at com.co3.util.esapi.ResilientValidator.getValidInput(ResilientValidator.java:51) at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:185) at org.owasp.esapi.filters.SecurityWrapperRequest.getHeaders(SecurityWrapperRequest.java:245)
The method of authentication, LDAP, SAML, or local authentication is not of relevance.
Cause
Defect RES-19813 was fixed in v37.2 of IBM Resilient as described in v37.2 Corrected Issues.
Versions of Chromium-based browsers, v85, and higher introduced User-Agent Client Hints (UA-CH). The new headers sent by these browsers, such as, Sec-CH-UA and Sec-CH-UA-Mobile are not accepted by earlier versions of IBM Resilient.
Diagnosing The Problem
Look in /usr/share/co3/logs/client.log for a stack trace that looks like this.
08:56:55.210 [http-nio-443-exec-921] ERROR com.co3.web.servlet.Co3ServletFilterBase - Error processing request GET:/rest/session
org.owasp.esapi.errors.IntrusionException: Input validation failure
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:181)
at org.owasp.esapi.reference.DefaultEncoder.canonicalize(DefaultEncoder.java:122)
at com.co3.util.esapi.ResilientStringValidationRule.getValid(ResilientStringValidationRule.java:111)
at com.co3.util.esapi.ResilientValidator.getValidInput(ResilientValidator.java:51)
at org.owasp.esapi.reference.DefaultValidator.getValidInput(DefaultValidator.java:185)
at org.owasp.esapi.filters.SecurityWrapperRequest.getHeaders(SecurityWrapperRequest.java:245)
Can the user log in using a non-Chromium-based browser?
Have the affected user capture a har file by using How to generate a HAR file to troubleshoot issues with IBM Resilient. Check the contents of the har file or the headers in the Chromium-based developer tools. Look for Sec-CH-UA and Sec-CH-UA-Mobile headers.
If you upgraded to IBM Resilient server v37.2 or greater, you may continue to see Input validation failure errors in the client.log when you log in with a Chromium-based browser. RES-24480 has been opened for this issue and is scheduled to be resolved in the next release of the IBM Resilient server.
WARN [] com.co3.web.servlet.Co3ServletRequest - Input validation failure
WARN [] com.co3.web.servlet.Co3ServletRequest - Input validation failure
Resolving The Problem
IBM Resilient Development is aware of the issue and recommends upgrading to at least v37.2 to fix this problem.
You can use a non-Chromium-based browser to successfully log in to IBM Resilient.
Seek advice from your internal support teams whether the new User-Agent Client Hints can be disabled on each browser.
A fix for additional warning messages will be coming in an upcoming release of the product.
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z000000cvqZAAQ","label":"Resilient Core->User Interface"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
19 April 2021
UID
ibm16343305