https://bz.apache.org/bugzilla/show_bug.cgi?id=68500
Bug ID: 68500 Summary: occur a security vulnerable SSL connection(TLS1.1) when send a packet for heartbeat in k8s tribes Product: Tomcat 9 Version: 9.0.52 Hardware: Other OS: Linux Status: NEW Severity: critical Priority: P2 Component: Cluster Assignee: dev@tomcat.apache.org Reporter: army...@naver.com Target Milestone: ----- Hello. Im Jongpo Kim in South Korea. This vulnerability detail is about tomcat (over version 9) Clustering in k8s container. First, my environment information is below *Environment Information* ---------------------------------------------------------------------- Platform : Kubernetes version 1.26 In GKE (1.26.6-gke.1700) Container Image : tomee:8-jre-8.0.8-plume Tomcat : 9.0.52.0 JAVA Version : jdk1.8.0.392-8 Used Apache Module ---------------------------------------------------------------------- *I used a Tomcat commponents below* ---------------------------------------------------------------------- - github : https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java <https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.java> - Apache Doc : https://tomcat.apache.org/tomcat-10.0-doc/api/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.html <https://tomcat.apache.org/tomcat-10.0-doc/api/org/apache/catalina/tribes/membership/cloud/KubernetesMembershipProvider.html> ---------------------------------------------------------------------- When I provision tomcat clustering for session replication with the "KubernetesMembershipProvider", a serious below error occurs. *Error log in catalina.out* --------------------------------------------------------------------- Jan 12, 2024 5:02:54 PM sun.reflect.DelegatingMethodAccessorImpl invoke SEVERE: Unable to send heartbeat through Tribes interceptor stack. Will try to sleep again. java.util.concurrent.ExecutionException: java.lang.IllegalArgumentException: Unsupported protocol TLSv1.1 at java.util.concurrent.FutureTask.report(FutureTask.java:122) at java.util.concurrent.FutureTask.get(FutureTask.java:192) at org.apache.catalina.tribes.group.GroupChannel.startHeartbeat(GroupChannel.java:513) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.IllegalArgumentException: Unsupported protocol TLSv1.1 at sun.security.ssl.ProtocolVersion.namesOf(ProtocolVersion.java:283) at sun.security.ssl.SSLSocketImpl.setEnabledProtocols(SSLSocketImpl.java:345) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:463) ---------------------------------------------------------------------- After I have trouble-shooted, I found a some vulerable code in the module. The *KubernetesMemberShipProvider.class* use *TokenStreamProvider.class*(https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/tribes/membership/cloud/TokenStreamProvider.java <https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/tribes/membership/cloud/TokenStreamProvider.java>) This code tell us that send a heartbeat packet with a context with*"getInstance("TLS").* line35 : SSLContext context = SSLContext.getInstance("TLS"); It may be static setting with using SSLContext.getInstance("TLSv1.2"). I know that Java 1.8 using TLSv1.2 as a default, but it doesn't use 1.2 version in this case. As you know TLS v1.1 is not supported anymore with common endpoints. This java module need to communicate with kubelet API. This module must be upgraded to use over TLS1.2 version. * reference : https://stackoverflow.com/questions/43481010/how-to-enable-only-tlsv1-2-on-java-8-server-application <https://stackoverflow.com/questions/43481010/how-to-enable-only-tlsv1-2-on-java-8-server-application> What I tried. ------------------------------------------------------------- $CATALINA_OPTS -Dhttps.protocols=TLSv1.2 $JAVA_OPTS -Dhttps.protocols=TLSv1.2 So I can figure out that upper java options are enabled well in catalina.log when startup. But the KubernetesMemberShip using TLS 1.1 still. ------------------------------------------------------------- Thank you. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org