https://bz.apache.org/bugzilla/show_bug.cgi?id=60578
--- Comment #5 from Jerome Terry <jerome.l.te...@gmail.com> --- I have experienced what appears to be the same issue on Ubuntu 14.04 with Tomcat 7.0.52. Here's a link to tweets containing the diagnostics I performed. https://twitter.com/jeromeleoterry/status/831865811962908672 In my use case, a Nessus scan on ports 8080 and 8009 was triggering the CPU to get maxed out. I was able to reproduce this issue in a QA environment with no load applied to the tomcat, then triggered an Nessus scan. Nessus scan with only the HTTPS connector enabled didn't trigger the CPU staking at 100%. I ran strace and the bulk of the time was being spent in futex. I also ran Linux perf, and AbstractHttp11Processor.process was consuming 49.91% of CPU, while AbstractInputBuffer.nextRequest was consuming 50.06% of the CPU. In Catalina.out, I saw the error messages "Invalid message received with signature" and "Error parsing HTTP request header". This is a nasty one. A security scan on port 8080 or 8009 can trigger all cores to max out, which is a simple way of doing a denial of service attack. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
