tracker issue : CF-4205821

Hi Markus, Please apply the attached hot fix to the CF 2016 server. Hot fix: hf201600-4205269.jar MD5: ae528a2362000addf88566e11854a94a   Steps to apply the patch: # Stop CF service # Place the downloaded hot fix inside <cf_install_root>/cfusion/lib/updates # Start CF service *NOTE:* This hot fix has to be applied on top of ColdFusion 2016 Update 2016. Please do let us know if it works for you. -Nimit

Comment by Nimit S.

Is this issue present in ColdFusion 2018 update 5 as well? We've noticed similar behavior that results in a memory leak for Java heap space which has many references to 'coldfusion.security.BasicPolicy'. The threads in where these leaks occur are also hanging on: at java.security.AccessController.doPrivileged(Native Method) Thanks

Comment by dakota c.

This issue is present in ColdFusion 2018 Update 5 and it exhibits the same behavior listed in the stack trace provided above by Markus. Below is an example of this occurring on a CF2018Update5 instance: "ajp-nio-8018-exec-7" runnable at java.io.WinNTFileSystem.getBooleanAttributes(Native Method) at java.io.File.isDirectory(File.java:850) at java.io.File.toURL(File.java:686) at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155) at java.security.AccessController.doPrivileged(Native Method) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.security.Policy.getPermissions(Policy.java:684) at java.security.Policy.implies(Policy.java:737) at java.security.ProtectionDomain.implies(ProtectionDomain.java:321) at java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:353) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:895) at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066) at java.lang.System.getProperty(System.java:810) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.security.Policy.getPermissions(Policy.java:684) at java.security.Policy.implies(Policy.java:737) at java.security.ProtectionDomain.implies(ProtectionDomain.java:321) at java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:353) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:895) at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066) at java.lang.System.getProperty(System.java:810) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.security.Policy.getPermissions(Policy.java:684) at java.security.Policy.implies(Policy.java:737) at java.security.ProtectionDomain.implies(ProtectionDomain.java:321) at java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:353) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:895) at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066) at java.lang.System.getProperty(System.java:810) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) This thread was captured while the issue was occurring and before the StackOverflow error occurred.

Comment by dakota c.

I applied the path on thursday last week and restarted the ColdFusion Service. lib\updates\ contains chf20160012.jar and hf201600-4205269.jar and ColdFusion Administrator shows Version 2016.0.12.315717 Update Level C:/ColdFusion2016/cfusion/lib/updates/hf201600-4205269.jar so I assume the patch applied correctly. But yesterday I got again multiple StackOverflowError. This is the first one with some more probably related context with the same timestamp: Nov 12, 2019 1:07:43 PM org.apache.catalina.core.StandardWrapperValve invoke SCHWERWIEGEND: Servlet.service() for servlet [CfmServlet] in context with path [] threw exception [null] with root cause java.lang.StackOverflowError at java.security.AccessController.doPrivileged(Native Method) at java.io.FilePermission.init(FilePermission.java:212) at java.io.FilePermission.<init>(FilePermission.java:299) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.File.isDirectory(File.java:844) at java.io.File.toURL(File.java:686) at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155) at java.security.AccessController.doPrivileged(Native Method) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) [the following 13 lines are repeating again] at java.security.Policy.getPermissions(Policy.java:668) at java.security.Policy.implies(Policy.java:721) at java.security.ProtectionDomain.implies(ProtectionDomain.java:279) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.security.AccessController.checkPermission(AccessController.java:886) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294) at java.lang.System.getProperty(System.java:717) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:134) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:353) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) Nov 12, 2019 1:07:43 PM org.apache.catalina.core.ApplicationDispatcher invoke SCHWERWIEGEND: Servlet.service() for servlet [jsp] threw exception java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:3048) at org.apache.catalina.connector.Request.getSession(Request.java:2481) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:216) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:205) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:894) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:231) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:615) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:560) at org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.java:137) at org.apache.jasper.runtime.JspFactoryImpl.internalGetPageContext(JspFactoryImpl.java:109) at org.apache.jasper.runtime.JspFactoryImpl.access$000(JspFactoryImpl.java:39) at org.apache.jasper.runtime.JspFactoryImpl$PrivilegedGetPageContext.run(JspFactoryImpl.java:153) at org.apache.jasper.runtime.JspFactoryImpl$PrivilegedGetPageContext.run(JspFactoryImpl.java:126) at java.security.AccessController.doPrivileged(Native Method) at org.apache.jasper.runtime.JspFactoryImpl.getPageContext(JspFactoryImpl.java:58) at org.apache.jsp.CFIDE.administrator.templates.errors_jsp._jspService(errors_jsp.java:100) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.GeneratedMethodAccessor74.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:591) at org.apache.catalina.core.ApplicationDispatcher.access$100(ApplicationDispatcher.java:63) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedInclude.run(ApplicationDispatcher.java:117) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedInclude.run(ApplicationDispatcher.java:105) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:518) at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:380) at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:323) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:166) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:356) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:507) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Nov 12, 2019 1:07:43 PM org.apache.catalina.core.StandardHostValve custom SCHWERWIEGEND: Exception Processing ErrorPage[exceptionType=java.lang.Exception, location=/CFIDE/administrator/templates/errors.jsp] org.apache.jasper.JasperException: javax.servlet.ServletException: java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:598) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:499) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at sun.reflect.GeneratedMethodAccessor74.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:591) at org.apache.catalina.core.ApplicationDispatcher.access$100(ApplicationDispatcher.java:63) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedInclude.run(ApplicationDispatcher.java:117) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedInclude.run(ApplicationDispatcher.java:105) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:518) at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:380) at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:323) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:166) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:356) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:507) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: javax.servlet.ServletException: java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.jsp.CFIDE.administrator.templates.errors_jsp._jspService(errors_jsp.java:206) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:476) ... 40 more Caused by: java.lang.IllegalStateException: Cannot create a session after the response has been committed at org.apache.catalina.connector.Request.doGetSession(Request.java:3048) at org.apache.catalina.connector.Request.getSession(Request.java:2481) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:216) at org.apache.catalina.connector.RequestFacade$GetSessionPrivilegedAction.run(RequestFacade.java:205) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:894) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:231) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:615) at org.apache.catalina.core.ApplicationHttpRequest.getSession(ApplicationHttpRequest.java:560) at org.apache.jasper.runtime.PageContextImpl.initialize(PageContextImpl.java:137) at org.apache.jasper.runtime.JspFactoryImpl.internalGetPageContext(JspFactoryImpl.java:109) at org.apache.jasper.runtime.JspFactoryImpl.access$000(JspFactoryImpl.java:39) at org.apache.jasper.runtime.JspFactoryImpl$PrivilegedGetPageContext.run(JspFactoryImpl.java:153) at org.apache.jasper.runtime.JspFactoryImpl$PrivilegedGetPageContext.run(JspFactoryImpl.java:126) at java.security.AccessController.doPrivileged(Native Method) at org.apache.jasper.runtime.JspFactoryImpl.getPageContext(JspFactoryImpl.java:58) at org.apache.jsp.CFIDE.administrator.templates.errors_jsp._jspService(errors_jsp.java:100) ... 43 more

Comment by Markus W.

Hi,   Can you please let me know a few things? # How much time before you started seeing the errors again after applying the patch? # I am assuming your environment is Sandboxed? # What kind of loads are you hitting to this sandboxed environment? # Is there any particular CFM which is being called a lot of times?   Thanks, Kailash

Comment by Kailash B.

> # How much time before you started seeing the errors again after applying the patch? About 5 days (including the weekend when probably no one accessed it). > # I am assuming your environment is Sandboxed? Yes, we have enabled Sandbox Security with a single sandbox for the whole "wwwroot" directory (plus the unmodified default ones for CFIDE and WEB-INF). > # What kind of loads are you hitting to this sandboxed environment? I tested it on an internal development machine, so there's frequent load from few users during office time but no really high load. I also get those errors every few days on my local development machine, which is rebooted daily, is only accessed by me (so very low load) and runs on Linux – but that's still without the patch! > # Is there any particular CFM which is being called a lot of times? There are some CFM which are called very often compared to others. But I've seen the error on those and also others which are called only a few times a day – and even the ColdFusion Administrator start page when it was called the first time after probably several days. I don't know where it occured in the log from Nov 12 – I didn't get an error report but found it only in the log file and there's no reference to one of "our" files in it.

Comment by Markus W.

This issue is still occurring in ColdFusion 2018 Update 6. Here is the error we experienced for reference: Caused by: java.lang.StackOverflowError at java.base/java.io.FilePermission.init(FilePermission.java:344) at java.base/java.io.FilePermission.<init>(FilePermission.java:477) at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:674) at java.base/java.io.File.isDirectory(File.java:845) at java.base/java.io.File.toURL(File.java:686) at coldfusion.security.BasicPolicy$1.run(BasicPolicy.java:155) at java.base/java.security.AccessController.doPrivileged(Native Method) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:151) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) at coldfusion.security.BasicPolicy.getPermissions(BasicPolicy.java:109) at java.base/java.security.Policy.getPermissions(Policy.java:684) at java.base/java.security.Policy.implies(Policy.java:737) at java.base/java.security.ProtectionDomain.implies(ProtectionDomain.java:308) at java.base/java.security.ProtectionDomain.impliesWithAltFilePerm(ProtectionDomain.java:340) at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) at java.base/java.security.AccessController.checkPermission(AccessController.java:895) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1079) at java.base/java.lang.System.getProperty(System.java:788) at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:143) at coldfusion.util.SoftCache.get(SoftCache.java:81) at coldfusion.util.Utils.getCanonicalFile(Utils.java:357) at coldfusion.security.BasicPolicy.getPermissionCollection(BasicPolicy.java:149) I updated ColdFusion case# 24430 regarding this issue and included the exception.log file from the server this issue is occurring on.

Comment by dakota c.

Experiencing the same error behavior as Markus W. and dakota c. on multiple servers with Sandbox Security enabled, Win2016, CF2016u13, Java 11.0.4 & 8.0.231

Vote by Chris D.

Working on updating our servers to CF2018 but won't be able to move into production if this issue exists. Please update us on the status of this issue.

Vote by Miguel F.

We've been seeing this issue Since Update 5/Update12. The jar file fix did not resolve it nor did Update 6. Turning off Sandbox Security was our only recourse which is unacceptable. Emails to Adobe support were met with total silence.

Comment by Ken W.

Hello Guys, We have tried reproducing this issue at our end but unable to do so. I will really appreciate if you guys can share set of steps that we can follow to repro it at our end.  You can feel free to share more information @ [nimsharm@adobe.com|mailto:nimsharm@adobe.com] so that we can further investigate this issue. -Nimit

Comment by Nimit S.

Unfortunately, we can't reproduce it on-demand.

Comment by Ken W.

We can't reproduce it on demand either. These stack overflow errors started after applying Update 12 in October and has gotten much worse in the last six weeks since installing Update 13. Our CF2016 Update 13 servers are locked down per the CF lockdown guide. Windows Server 2016 fully patched. Have tried running Java 11.0.2 and 11.0.4 & currently on 8.0.231 Sandbox security is enabled. Multiple defined directories for various applications with the two default directory permissions (untouched) for "ColdFusion CFIDE system directory" and "ColdFusion WEB-INF system directory". I opened a case, 27296, with an excerpt from the coldfusion-error.log that shows after a restart even the default CF script to check for CF updates (http://127.0.0.1:8555/CFIDE/administrator/updates/task/checkupdates.cfm) will generate a stack overflow error.

Comment by Chris D.

Just an update. Priyank sent me a new hotfix (hf201600-4205821.jar) a couple weeks ago and after applying it, I'm no longer seeing stack overflow issues with any of my servers. :)

Comment by Chris D.

I have now seen this a couple of times on a server we recently upgraded to ColdFusion 2018 Update 8. Does the same fix apply to this version? When will the fix be included in an update?

Comment by Miguel F.