Summary
An issue exists in the CLIENT process which may cause the HTTP "Authorization" header to be corrupted. This is indicated when the value of the header is filled with the 'Z' or 'f' character. When this occurs the web service will typically return a 401 or 400 error on a request that should normally succeed.
Advisory Release Date
September 5, 2020
Affected Versions
- 1.0.4+
- 1.1.0+
Fixed Versions
- 1.1.0.1
- 1.1.2.1
- 1.2.0+
Background
This issue may occur in the following scenario:
- In order to improve performance, the CLIENT process maintains an internal pool of persistent connections to the web service provider. The web service provider may terminate these connections at any time.
- Under certain conditions, the CLIENT process may attempt to reuse one of these pooled connections before receiving an indication from the TCP/IP stack or HTTP protocol that the connection has been terminated.
- The CLIENT process determines that the connection has been terminated when the send request fails, disposes of the existing connection, and creates a new connection.
- When disposing of the existing connection, the value of the Authorization header is sanitized. When the request is retried on the new connection, CLIENT sends the Authorization header with the sanitized value instead of the correct value.
Status
A hotfix is available for this issue for the following releases:
- 1.1.0
- 1.1.2
Once the hotfix is installed, the issue will not occur.
Note that this hotfix is only for the releases listed. If you would like a hotfix prepared for another release, please open a support case and let us know the release you're using.
Hotfix Installation
Install the hotfix by following these steps:
- Download the hotfix PAK file using the link below and transfer the file to your NonStop system using binary transfer.
- For 1.1.0:
- For TNS/E: hf1101e.pak
- For TNS/X: hf1101x.pak
- For 1.1.2:
- For TNS/E: hf1121e.pak
- For TNS/X: hf1121x.pak
- For 1.1.0:
- Unpak the hotfix PAK file, which contains the following file:
- CLIENT - The CLIENT process program file.
- Stop any existing CLIENT processes.
- Replace the existing CLIENT program file with the hotfix CLIENT program file.
- Restart the CLIENT processes.
The VPROC for this hotfix is:
- 1.1.0.1
- TNS/E - T0000H06_05SEP2020_NuWave_LWC_1_1_0_1_H_9fe15b87
- TNS/X - T0000L06_05SEP2020_NuWave_LWC_1_1_0_1_H_9fe15b87
- 1.1.2.1
- TNS/E - T0000H06_17SEP2020_NuWave_LWC_1_1_2_1_H_988a5ff2
- TNS/X - T0000L06_17SEP2020_NuWave_LWC_1_1_2_1_H_988a5ff2