[
https://issues.apache.org/jira/browse/IGNITE-11426?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gabriel Jimenez updated IGNITE-11426:
-------------------------------------
Description:
{{*Problem Statement*: The DiscoverySPI and CommunicationSPI have components
that listen on open ports (Various GridNIOServer(Communication) and
SocketReader(Discovery) instances). These open ports result on a vulnerability
to denial of service attacks. Even more concerning is the fact that the
rejection behavior for GridNIOServer relies on asserting instanceof for the
incoming message (subsequently throwing an exception on failed assertion). This
is relatively costly computationally, and can lead to OutOfMemory issues for
the node JVM. Additionally, the exception is not properly handled by the
GridNIOServer instances, and can result in error messages:}}
{quote}{{[ERROR] [grid-nio-worker-client-listener-0-#110|#110]
ClientListenerProcessor - Closing NIO session because of unhandled exception.
org.apache.ignite.IgniteCheckedException: Invalid handshake message at
org.apache.ignite.internal.processors.odbc.ClientListenerNioServerBuffer.read(ClientListenerNioServerBuffer.java:115)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.processors.odbc.ClientListenerBufferedParser.decode(ClientListenerBufferedParser.java:60)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.processors.odbc.ClientListenerBufferedParser.decode(ClientListenerBufferedParser.java:40)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioCodecFilter.onMessageReceived(GridNioCodecFilter.java:114)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioFilterAdapter.proceedMessageReceived(GridNioFilterAdapter.java:109)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioServer$HeadFilter.onMessageReceived(GridNioServer.java:3490)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioFilterChain.onMessageReceived(GridNioFilterChain.java:175)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioServer$ByteBufferNioClientWorker.processRead(GridNioServer.java:1113)
[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioServer$AbstractNioClientWorker.processSelectedKeysOptimized(GridNioServer.java:2339)
[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioServer$AbstractNioClientWorker.bodyInternal(GridNioServer.java:2110)
[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioServer$AbstractNioClientWorker.body(GridNioServer.java:1764)
[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:110)
[bdp-ignite-core-2.6.0.jar:2.6.0] at java.lang.Thread.run(Thread.java:748)
[?:1.8.0_172]}}
{quote}
Relevant Lines:
[https://github.com/apache/ignite/blob/ignite-2.6/modules/core/src/main/java/org/apache/ignite/spi/communication/tcp/TcpCommunicationSpi.java#L483]
[https://github.com/apache/ignite/blob/ignite-2.6/modules/core/src/main/java/org/apache/ignite/spi/communication/tcp/TcpCommunicationSpi.java#L541]
*Solution*: On our internal build we opted to replace the assert statements
with conditionals to simply close the session and log a warning if the incoming
message isn't of the expected type. This approach is present throughout other
parts of the codebase, thus it seemed fitting.
was:
{{*Problem Statement*: The DiscoverySPI and CommunicationSPI have components
that listen on open ports (Various GridNIOServer(Communication) and
SocketReader(Discovery) instances). These open ports result on a vulnerability
to denial of service attacks. Even more concerning is the fact that the
rejection behavior for GridNIOServer relies on asserting instanceof for the
incoming message (subsequently throwing an exception on failed assertion). This
is relatively costly computationally, and can lead to OutOfMemory issues for
the node JVM. Additionally, the exception is not properly handled by the
GridNIOServer instances, and can result in error messages:}}
{quote}{{[ERROR] [grid-nio-worker-client-listener-0-#110|#110]
ClientListenerProcessor - Closing NIO session because of unhandled exception.
org.apache.ignite.IgniteCheckedException: Invalid handshake message at
org.apache.ignite.internal.processors.odbc.ClientListenerNioServerBuffer.read(ClientListenerNioServerBuffer.java:115)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.processors.odbc.ClientListenerBufferedParser.decode(ClientListenerBufferedParser.java:60)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.processors.odbc.ClientListenerBufferedParser.decode(ClientListenerBufferedParser.java:40)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioCodecFilter.onMessageReceived(GridNioCodecFilter.java:114)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioFilterAdapter.proceedMessageReceived(GridNioFilterAdapter.java:109)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioServer$HeadFilter.onMessageReceived(GridNioServer.java:3490)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioFilterChain.onMessageReceived(GridNioFilterChain.java:175)
~[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioServer$ByteBufferNioClientWorker.processRead(GridNioServer.java:1113)
[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioServer$AbstractNioClientWorker.processSelectedKeysOptimized(GridNioServer.java:2339)
[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioServer$AbstractNioClientWorker.bodyInternal(GridNioServer.java:2110)
[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.nio.GridNioServer$AbstractNioClientWorker.body(GridNioServer.java:1764)
[bdp-ignite-core-2.6.0.jar:2.6.0] at
org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:110)
[bdp-ignite-core-2.6.0.jar:2.6.0] at java.lang.Thread.run(Thread.java:748)
[?:1.8.0_172]}}
{quote}
Relevant Lines:
[https://github.com/apache/ignite/blob/ignite-2.6/modules/core/src/main/java/org/apache/ignite/spi/communication/tcp/TcpCommunicationSpi.java#L483]
[https://github.com/apache/ignite/blob/ignite-2.6/modules/core/src/main/java/org/apache/ignite/spi/communication/tcp/TcpCommunicationSpi.java#L541]
*Solution*: On our internal build we opted to replace the assert statements
with conditionals to simply close the session and log a warning if the incoming
message isn't of the expected type. This approach is present throughout other
parts of the codebase, thus it seemed fitting.
> Denial of Service Attack Vulnerability
> --------------------------------------
>
> Key: IGNITE-11426
> URL: https://issues.apache.org/jira/browse/IGNITE-11426
> Project: Ignite
> Issue Type: Bug
> Affects Versions: 2.6
> Reporter: Gabriel Jimenez
> Priority: Critical
>
> {{*Problem Statement*: The DiscoverySPI and CommunicationSPI have components
> that listen on open ports (Various GridNIOServer(Communication) and
> SocketReader(Discovery) instances). These open ports result on a
> vulnerability to denial of service attacks. Even more concerning is the fact
> that the rejection behavior for GridNIOServer relies on asserting instanceof
> for the incoming message (subsequently throwing an exception on failed
> assertion). This is relatively costly computationally, and can lead to
> OutOfMemory issues for the node JVM. Additionally, the exception is not
> properly handled by the GridNIOServer instances, and can result in error
> messages:}}
> {quote}{{[ERROR] [grid-nio-worker-client-listener-0-#110|#110]
> ClientListenerProcessor - Closing NIO session because of unhandled exception.
> org.apache.ignite.IgniteCheckedException: Invalid handshake message at
> org.apache.ignite.internal.processors.odbc.ClientListenerNioServerBuffer.read(ClientListenerNioServerBuffer.java:115)
> ~[bdp-ignite-core-2.6.0.jar:2.6.0] at
> org.apache.ignite.internal.processors.odbc.ClientListenerBufferedParser.decode(ClientListenerBufferedParser.java:60)
> ~[bdp-ignite-core-2.6.0.jar:2.6.0] at
> org.apache.ignite.internal.processors.odbc.ClientListenerBufferedParser.decode(ClientListenerBufferedParser.java:40)
> ~[bdp-ignite-core-2.6.0.jar:2.6.0] at
> org.apache.ignite.internal.util.nio.GridNioCodecFilter.onMessageReceived(GridNioCodecFilter.java:114)
> ~[bdp-ignite-core-2.6.0.jar:2.6.0] at
> org.apache.ignite.internal.util.nio.GridNioFilterAdapter.proceedMessageReceived(GridNioFilterAdapter.java:109)
> ~[bdp-ignite-core-2.6.0.jar:2.6.0] at
> org.apache.ignite.internal.util.nio.GridNioServer$HeadFilter.onMessageReceived(GridNioServer.java:3490)
> ~[bdp-ignite-core-2.6.0.jar:2.6.0] at
> org.apache.ignite.internal.util.nio.GridNioFilterChain.onMessageReceived(GridNioFilterChain.java:175)
> ~[bdp-ignite-core-2.6.0.jar:2.6.0] at
> org.apache.ignite.internal.util.nio.GridNioServer$ByteBufferNioClientWorker.processRead(GridNioServer.java:1113)
> [bdp-ignite-core-2.6.0.jar:2.6.0] at
> org.apache.ignite.internal.util.nio.GridNioServer$AbstractNioClientWorker.processSelectedKeysOptimized(GridNioServer.java:2339)
> [bdp-ignite-core-2.6.0.jar:2.6.0] at
> org.apache.ignite.internal.util.nio.GridNioServer$AbstractNioClientWorker.bodyInternal(GridNioServer.java:2110)
> [bdp-ignite-core-2.6.0.jar:2.6.0] at
> org.apache.ignite.internal.util.nio.GridNioServer$AbstractNioClientWorker.body(GridNioServer.java:1764)
> [bdp-ignite-core-2.6.0.jar:2.6.0] at
> org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:110)
> [bdp-ignite-core-2.6.0.jar:2.6.0] at java.lang.Thread.run(Thread.java:748)
> [?:1.8.0_172]}}
> {quote}
>
> Relevant Lines:
>
> [https://github.com/apache/ignite/blob/ignite-2.6/modules/core/src/main/java/org/apache/ignite/spi/communication/tcp/TcpCommunicationSpi.java#L483]
> [https://github.com/apache/ignite/blob/ignite-2.6/modules/core/src/main/java/org/apache/ignite/spi/communication/tcp/TcpCommunicationSpi.java#L541]
>
> *Solution*: On our internal build we opted to replace the assert statements
> with conditionals to simply close the session and log a warning if the
> incoming message isn't of the expected type. This approach is present
> throughout other parts of the codebase, thus it seemed fitting.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
