Bug#854551: marked as done (tomcat7: Remote https GET requests to Tomcat7 with default config cause server cpu to jump 100% forever)

[Debian Bug Tracking System]

Your message dated Sat, 18 Feb 2017 23:32:20 +0000
with message-id <e1cfeug-000531...@fasolo.debian.org>
and subject line Bug#854551: fixed in tomcat7 7.0.56-3+deb8u8
has caused the Debian Bug report #854551,
regarding tomcat7: Remote https GET requests to Tomcat7 with default config 
cause server cpu to jump 100% forever
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
854551: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854551
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: tomcat7
Version: 7.0.56-3+deb8u7
Severity: important

Dear Maintainer,

sending a simple https get request to tomcat 7 on Debian 8 with the default configuration, makes the cpu jump to 100% and stay there for hours making the server slow.

If I restart tomcat server the cpu goes again to 1%.
No custom java applications are installed on tomcat.

Logs: Watching catalina.out I found this error message in corrispondence to the cpu pitch start org.apache.coyote.http11.AbstractHttp11Processor process INFO: Error parsing HTTP request header

How to replicate:
- Create a Debian 8 VM Instance on Google Compute Engine
- sudo apt-get update
- sudo apt-get upgrade
- sudo apt-get install tomcat7 apache2

- open a browser and go to https://serverip:8080 and the server cpu start going 100% and stay there for hours.

I'm using a fresh debian 8 default image from Google Compute Engine but it's possibile that the bug happens with physical machines too.

This can be a security issue because it's possible to ddos a server with Tomcat7 and Debian 8 simply sending https remote requests

Searching on the web, I see this bug report, maybe can be useful, maybe not:
https://bz.apache.org/bugzilla/show_bug.cgi?id=57544

Install the Debian backports version of Tomcat 7.0.75 solve the issue but it will be great if this issue can be solved on stable too.

Best Regards
Marco


-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat7 depends on:
ii  adduser                3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  tomcat7-common         7.0.56-3+deb8u7
ii  ucf                    3.0030

Versions of packages tomcat7 recommends:
ii  authbind  2.1.1

Versions of packages tomcat7 suggests:
pn  libtcnative-1     <none>
pn  tomcat7-admin     <none>
pn  tomcat7-docs      <none>
pn  tomcat7-examples  <none>
pn  tomcat7-user      <none>

-- Configuration Files:

/etc/tomcat7/catalina.properties [Errno 13] Permission denied: u'/etc/tomcat7/catalina.properties' /etc/tomcat7/context.xml [Errno 13] Permission denied: u'/etc/tomcat7/context.xml' /etc/tomcat7/logging.properties [Errno 13] Permission denied: u'/etc/tomcat7/logging.properties' /etc/tomcat7/policy.d/01system.policy [Errno 13] Permission denied: u'/etc/tomcat7/policy.d/01system.policy' /etc/tomcat7/policy.d/02debian.policy [Errno 13] Permission denied: u'/etc/tomcat7/policy.d/02debian.policy' /etc/tomcat7/policy.d/03catalina.policy [Errno 13] Permission denied: u'/etc/tomcat7/policy.d/03catalina.policy' /etc/tomcat7/policy.d/04webapps.policy [Errno 13] Permission denied: u'/etc/tomcat7/policy.d/04webapps.policy' /etc/tomcat7/policy.d/50local.policy [Errno 13] Permission denied: u'/etc/tomcat7/policy.d/50local.policy' /etc/tomcat7/server.xml [Errno 13] Permission denied: u'/etc/tomcat7/server.xml' /etc/tomcat7/tomcat-users.xml [Errno 13] Permission denied: u'/etc/tomcat7/tomcat-users.xml'

/etc/tomcat7/web.xml [Errno 13] Permission denied: u'/etc/tomcat7/web.xml'

-- debconf information:

tomcat7/javaopts: -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC

  tomcat7/groupname: tomcat7
  tomcat7/username: tomcat7

--- End Message ---

--- Begin Message ---

Source: tomcat7
Source-Version: 7.0.56-3+deb8u8

We believe that the bug you reported is fixed in the latest version of
tomcat7, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated tomcat7 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 13 Feb 2017 10:16:57 +0100
Source: tomcat7
Binary: tomcat7-common tomcat7 tomcat7-user libtomcat7-java libservlet3.0-java 
libservlet3.0-java-doc tomcat7-admin tomcat7-examples tomcat7-docs
Architecture: source all
Version: 7.0.56-3+deb8u8
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
 libservlet3.0-java - Servlet 3.0 and JSP 2.2 Java API classes
 libservlet3.0-java-doc - Servlet 3.0 and JSP 2.2 Java API documentation
 libtomcat7-java - Servlet and JSP engine -- core libraries
 tomcat7    - Servlet and JSP engine
 tomcat7-admin - Servlet and JSP engine -- admin web applications
 tomcat7-common - Servlet and JSP engine -- common files
 tomcat7-docs - Servlet and JSP engine -- documentation
 tomcat7-examples - Servlet and JSP engine -- example web applications
 tomcat7-user - Servlet and JSP engine -- tools to create user instances
Closes: 854551
Changes:
 tomcat7 (7.0.56-3+deb8u8) jessie-security; urgency=high
 .
   * Team upload.
   * Add BZ57544-infinite-loop.patch: It was found that https GET requests could
     trigger an infinite loop and thus cause a denial-of-service.
     (Closes: #854551)
Checksums-Sha1:
 befc5ba2d5cbe49f31db903e7d1e244ac32d1fae 2925 tomcat7_7.0.56-3+deb8u8.dsc
 e59a76d0b1eaef9f920081ca50aff93db01375aa 90828 
tomcat7_7.0.56-3+deb8u8.debian.tar.xz
 1191daab4f6acd6457735962b829507238be47ea 63812 
tomcat7-common_7.0.56-3+deb8u8_all.deb
 d90e5e6f52b231296ec52c88e1c971cfbebec66a 52752 tomcat7_7.0.56-3+deb8u8_all.deb
 5eedecc075b8098ae988de33c84f8d3669894a99 40176 
tomcat7-user_7.0.56-3+deb8u8_all.deb
 9f8cbfd2e24ccabf4696387f916964bc907f83dc 3629222 
libtomcat7-java_7.0.56-3+deb8u8_all.deb
 fff215d4f7d1c24ec5dc879105d32aaca014236d 316142 
libservlet3.0-java_7.0.56-3+deb8u8_all.deb
 b49538a9da16f8f96ec662d8627014df5e007c15 206280 
libservlet3.0-java-doc_7.0.56-3+deb8u8_all.deb
 99b94b5fd37509c13b3b24ca84019eb32b1cdf65 41164 
tomcat7-admin_7.0.56-3+deb8u8_all.deb
 8d4ddbc441735afb29fe5c0aad081f9e48347b80 199268 
tomcat7-examples_7.0.56-3+deb8u8_all.deb
 765fa23a9d3bd9820e03bb4a9ddacf2ab6acabd7 605392 
tomcat7-docs_7.0.56-3+deb8u8_all.deb
Checksums-Sha256:
 530dbe859f764c7d31cd6bc510b19072ee1ab7ac50349ace47523506ab042363 2925 
tomcat7_7.0.56-3+deb8u8.dsc
 e9412b78ec6bd59e90519a2b96546d810b07b99e0e2153228f039b999f4296a2 90828 
tomcat7_7.0.56-3+deb8u8.debian.tar.xz
 fbffa9d377703e2163fd757e00808c21ce35601e967f702e19dad4e6a3c48ae2 63812 
tomcat7-common_7.0.56-3+deb8u8_all.deb
 0d6c58d9a34bdb5b8b4a86a05d2dad554a0b877bed7786ead8d0fa71aa59aa5f 52752 
tomcat7_7.0.56-3+deb8u8_all.deb
 3a5c1902934141b144d22e18d78574f5399b830ad2bf297f8dadc2a65371f873 40176 
tomcat7-user_7.0.56-3+deb8u8_all.deb
 fdb8c3a15cc1bbf22dcbd6db1b00e7f2bde6cd2b4dd6ba8e4b2c243f22d83d32 3629222 
libtomcat7-java_7.0.56-3+deb8u8_all.deb
 1f7bfc95bdbe9d0305b5bebbf162c21eb7d5c71857d8bdbd77a948a88d2e814c 316142 
libservlet3.0-java_7.0.56-3+deb8u8_all.deb
 9a018fc5469de006dff0fd6f97bec395016ad88804f544ffc8c58fd11417733d 206280 
libservlet3.0-java-doc_7.0.56-3+deb8u8_all.deb
 46c912cdda7f7fcf84f667f8fb6098e60c05000de9b1a14390a7f77c57fa3a6c 41164 
tomcat7-admin_7.0.56-3+deb8u8_all.deb
 46f20146f7895699449b80f8d499aaa9d18a18746c0fe31f6a3865c92d92008b 199268 
tomcat7-examples_7.0.56-3+deb8u8_all.deb
 52c6f3aeb7f72e89f01a04e598e857c4a21a119acfa8d829b09bfc8f364559aa 605392 
tomcat7-docs_7.0.56-3+deb8u8_all.deb
Files:
 be58b19b53e9479b9673514b5da5805e 2925 java optional tomcat7_7.0.56-3+deb8u8.dsc
 c46738f9819bd98168c0e8a636f2f4f3 90828 java optional 
tomcat7_7.0.56-3+deb8u8.debian.tar.xz
 36672cebe8345d04211526612cd8f80c 63812 java optional 
tomcat7-common_7.0.56-3+deb8u8_all.deb
 041c6429f9136a8a421a199d845ea37e 52752 java optional 
tomcat7_7.0.56-3+deb8u8_all.deb
 77025f6e109ae19267303449b0b690a4 40176 java optional 
tomcat7-user_7.0.56-3+deb8u8_all.deb
 aea0d0c217199b7c7f0341b9f4f14965 3629222 java optional 
libtomcat7-java_7.0.56-3+deb8u8_all.deb
 a993b23e45f715f54c93d09ae73d06d4 316142 java optional 
libservlet3.0-java_7.0.56-3+deb8u8_all.deb
 68879b9b847ef95a85f3c6fd2c6da6a1 206280 doc optional 
libservlet3.0-java-doc_7.0.56-3+deb8u8_all.deb
 e46f05bfa04f4c0c95369aa7ba6be932 41164 java optional 
tomcat7-admin_7.0.56-3+deb8u8_all.deb
 88cc6e98507ac2525873cb7aeac6e017 199268 java optional 
tomcat7-examples_7.0.56-3+deb8u8_all.deb
 d5e205cb8a524a30c8aa8332c1795523 605392 doc optional 
tomcat7-docs_7.0.56-3+deb8u8_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlihfW9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkwRwP/iIKw/kwDsKlpjeoV9e1AI9bp8jcR577KApu
W/Yk6qDi48+a21YFKYFwNWe3wVTbiDzis7Lkf836FP0LJfQJrpzJ9CgwnTbE0Om4
9GRIzsy83SrOapeCtzpNzMhqsJVNlmoSkqnmCKKMAmTI7QwNsN3IDxWH5UPlUd1a
S0/A09wP9MqGKBk3pGrcPoCQSlpMr5WleZ86GUOHKNbr+J3gLYF+DKQQiaC+Xkbu
gqi6W3IeXIEz6Y9Eo8OjJIU8gBGzirWcy/k8fXGQTFER3tkVTV/Mu7nKsZ1G6JV0
jyw6q8Lcgh9o7k3nN2H2pOV8SR4NvKxC4vFXsmjQGJtEskTWWFXH0ukpe5EOrJGG
STP7wahRhxdAIjTW79uZZlX25iPdraZsMjlmvt8DHOvvY0jfvNLxeEdHnZaCbyh/
5EX2Xrs0lRZw8aqoOPMHz4Yim23xEEqVvIF/2TMHCuyBrQfuXhb7j8D8VIZFL8u3
vYz+V4wtBMcVS37BdGssZECPucc3HO/06FF4NRicM/0Ny1kr1O5IQiDIsiUv1eze
xMHw93qa1cWNpWehclbpr86IhqK4K6Ke1Bgu1qYwtUO+J9R0QgCuEF6sWUzv6PTS
LpqpX6XTgLXPxLDDb34RVp5Oxnsnl7q2lTJNVmFy/hhF+uT2YRHMSE2vYXeZ7aW8
2HKMXoOL
=2pr3
-----END PGP SIGNATURE-----

--- End Message ---

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.