Bug#851304: Bug#854551: Bug#851304: tomcat8 use 100% cpu time

[Markus Koschany]

On 20.02.2017 17:45, Salvatore Bonaccorso wrote:
[...]
> Sorry for the delay (due to various circumstances). The fix looks sane
> to me. Assuming the fix could have been tested as well, please do
> upload to security-master.
> 

Hi,

no problem. I have just uploaded both packages to security-master.

Cheers,

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: Bug#854551: Bug#851304: tomcat8 use 100% cpu time

[Salvatore Bonaccorso]

Hi Markus,

On Sat, Feb 18, 2017 at 07:53:33PM +0100, Markus Koschany wrote:
> On 18.02.2017 13:21, Salvatore Bonaccorso wrote:
> [...]
> > No problem. Thanks for noticing, can you let us know as usual when you
> > have a debdiff ready for the regression update?
> > 
> > I tend to see this as regression update for the previous DSA, so no
> > need for a new CVE id. But let me know if someone thinks otherwise and
> > I can followup with MITRE.
> > 
> > Thanks for your coninous work,
> 
> I agree this is a regression update. Please find attached the debdiffs
> for Tomcat 7 and Tomcat 8.

Sorry for the delay (due to various circumstances). The fix looks sane
to me. Assuming the fix could have been tested as well, please do
upload to security-master.

Regards and thanks for your work,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

[Markus Koschany]

On 18.02.2017 13:21, Salvatore Bonaccorso wrote:
[...]
> No problem. Thanks for noticing, can you let us know as usual when you
> have a debdiff ready for the regression update?
> 
> I tend to see this as regression update for the previous DSA, so no
> need for a new CVE id. But let me know if someone thinks otherwise and
> I can followup with MITRE.
> 
> Thanks for your coninous work,

I agree this is a regression update. Please find attached the debdiffs
for Tomcat 7 and Tomcat 8.

Regards,

Markus

diff -Nru tomcat7-7.0.56/debian/changelog tomcat7-7.0.56/debian/changelog
--- tomcat7-7.0.56/debian/changelog 2017-02-13 10:16:57.0 +0100
+++ tomcat7-7.0.56/debian/changelog 2017-02-18 19:16:13.0 +0100
@@ -1,3 +1,12 @@
+tomcat7 (7.0.56-3+deb8u9) jessie-security; urgency=high
+
+  * Team upload.
+  * Add BZ57544-infinite-loop-part2.patch.
+Fix regression due to an incomplete fix for CVE-2017-6056.
+See #854551 for further information.
+
+ -- Markus Koschany   Sat, 18 Feb 2017 19:16:13 +0100
+
 tomcat7 (7.0.56-3+deb8u8) jessie-security; urgency=high
 
   * Team upload.
diff -Nru tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop-part2.patch 
tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop-part2.patch
--- tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop-part2.patch 
1970-01-01 01:00:00.0 +0100
+++ tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop-part2.patch 
2017-02-18 19:16:13.0 +0100
@@ -0,0 +1,29 @@
+From: Markus Koschany 
+Date: Sat, 18 Feb 2017 19:15:02 +0100
+Subject: BZ57544-infinite-loop-part2
+
+Fix 400 HTTP errors due to an incomplete fix for CVE-2017-6056.
+
+Bug-Debian: https://bugs.debian.org/854551
+Origin: 
https://github.com/apache/tomcat80/commit/534d62075f8c03cc3e77f301e53be53acdefd1c9
+---
+ java/org/apache/coyote/http11/AbstractInputBuffer.java | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java 
b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+index a1251d6..ac56de1 100644
+--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java
 b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+@@ -227,9 +227,10 @@ public abstract class AbstractInputBuffer implements 
InputBuffer{
+ // Copy leftover bytes to the beginning of the buffer
+ if (lastValid - pos > 0 && pos > 0) {
+ System.arraycopy(buf, pos, buf, 0, lastValid - pos);
+-lastValid = lastValid - pos;
+-pos = 0;
+ }
++// Always reset pos to zero
++lastValid = lastValid - pos;
++pos = 0;
+ 
+ // Recycle filters
+ for (int i = 0; i <= lastActiveFilter; i++) {
diff -Nru tomcat7-7.0.56/debian/patches/series 
tomcat7-7.0.56/debian/patches/series
--- tomcat7-7.0.56/debian/patches/series2017-02-13 10:16:57.0 
+0100
+++ tomcat7-7.0.56/debian/patches/series2017-02-18 19:16:13.0 
+0100
@@ -39,3 +39,4 @@
 CVE-2016-8735.patch
 CVE-2016-8745.patch
 BZ57544-infinite-loop.patch
+BZ57544-infinite-loop-part2.patch
diff -Nru tomcat8-8.0.14/debian/changelog tomcat8-8.0.14/debian/changelog
--- tomcat8-8.0.14/debian/changelog 2017-02-13 09:34:43.0 +
+++ tomcat8-8.0.14/debian/changelog 2017-02-18 17:44:25.0 +
@@ -1,3 +1,12 @@
+tomcat8 (8.0.14-1+deb8u8) jessie-security; urgency=high
+
+  * Team upload.
+  * Add BZ57544-infinite-loop-part2.patch.
+Fix regression (400 HTTP errors) due to an incomplete fix for
+CVE-2017-6056. See #854551 for further information.
+
+ -- Markus Koschany   Sat, 18 Feb 2017 18:44:25 +0100
+
 tomcat8 (8.0.14-1+deb8u7) jessie-security; urgency=high
 
   * Team upload.
diff -Nru tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop-part2.patch 
tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop-part2.patch
--- tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop-part2.patch 
1970-01-01 00:00:00.0 +
+++ tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop-part2.patch 
2017-02-18 17:44:25.0 +
@@ -0,0 +1,29 @@
+From: Markus Koschany 
+Date: Sat, 18 Feb 2017 18:39:09 +0100
+Subject: BZ57544-infinite-loop-part2
+
+Fix 400 HTTP errors due to an incomplete fix for CVE-2017-6056.
+
+Bug-Debian: https://bugs.debian.org/854551
+Origin: 
https://github.com/apache/tomcat80/commit/534d62075f8c03cc3e77f301e53be53acdefd1c9
+---
+ java/org/apache/coyote/http11/AbstractInputBuffer.java | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java 
b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+index 2aef369..1fbeb27 100644
+--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java
 b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+@@ -237,9 +237,10 @@ public abstract class AbstractInputBuffer implements 
InputBuffer{
+ // Copy leftover bytes to the beginning of the buffer
+ if (lastValid - 

Bug#851304: tomcat8 use 100% cpu time

[Salvatore Bonaccorso]

Hi Markus,

On Fri, Feb 17, 2017 at 10:19:18PM +0100, Markus Koschany wrote:
> On 17.02.2017 22:09, Salvatore Bonaccorso wrote:
> > Hi Markus, hi Emmanuel,
> > 
> > On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote:
> >> On 13.02.2017 08:34, Moritz Mühlenhoff wrote:
> >>> On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
>  Hi,
> 
>  a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
>  the issue is related to our latest security updates. We would like to
>  address this regression as soon as possible because this one can be
>  triggered remotely and cause a denial-of-service.
> 
>  I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
>  will update the changelogs later.
> >>>
> >>> Thanks, please upload.
> >>
> >> Thanks. Uploaded.
> > 
> > Btw, I requested a CVE for this issue and it got assigned
> > CVE-2017-6056.
> 
> Hi Salvatore,
> 
> Thank you. However apparently the fix was not complete. We received two
> reports that the server returns 400 errors under certain circumstances. [1]
> We need to prepare a regression update and the suggested fix is [2].
> Sorry for the inconvenience.

No problem. Thanks for noticing, can you let us know as usual when you
have a debdiff ready for the regression update?

I tend to see this as regression update for the previous DSA, so no
need for a new CVE id. But let me know if someone thinks otherwise and
I can followup with MITRE.

Thanks for your coninous work,

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: tomcat8 use 100% cpu time

[Markus Koschany]

On 17.02.2017 22:09, Salvatore Bonaccorso wrote:
> Hi Markus, hi Emmanuel,
> 
> On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote:
>> On 13.02.2017 08:34, Moritz Mühlenhoff wrote:
>>> On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
 Hi,

 a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
 the issue is related to our latest security updates. We would like to
 address this regression as soon as possible because this one can be
 triggered remotely and cause a denial-of-service.

 I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
 will update the changelogs later.
>>>
>>> Thanks, please upload.
>>
>> Thanks. Uploaded.
> 
> Btw, I requested a CVE for this issue and it got assigned
> CVE-2017-6056.

Hi Salvatore,

Thank you. However apparently the fix was not complete. We received two
reports that the server returns 400 errors under certain circumstances. [1]
We need to prepare a regression update and the suggested fix is [2].
Sorry for the inconvenience.

Regards,

Markus


[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854551#59
[2]
https://github.com/apache/tomcat80/commit/534d62075f8c03cc3e77f301e53be53acdefd1c9.patch




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

[Salvatore Bonaccorso]

Hi Markus, hi Emmanuel,

On Mon, Feb 13, 2017 at 10:48:20AM +0100, Markus Koschany wrote:
> On 13.02.2017 08:34, Moritz Mühlenhoff wrote:
> > On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
> >> Hi,
> >>
> >> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
> >> the issue is related to our latest security updates. We would like to
> >> address this regression as soon as possible because this one can be
> >> triggered remotely and cause a denial-of-service.
> >>
> >> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
> >> will update the changelogs later.
> > 
> > Thanks, please upload.
> 
> Thanks. Uploaded.

Btw, I requested a CVE for this issue and it got assigned
CVE-2017-6056.

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: tomcat8 use 100% cpu time

[linux...@gmail.com]

I tried the updated package and it work well.

RickLinux

 Original Message 
From:Markus Koschany 
Sent:Thu, 09 Feb 2017 20:28:53 -0500
To:linux...@gmail.com,k...@juplo.de
Cc:851...@bugs.debian.org
Subject:Re: tomcat8 use 100% cpu time

>Hello,
>
>thank you for reporting this bug. We think we have found a solution for
>this issue. I have uploaded new binary packages of Tomcat 8 for Debian
>Jessie to [1] and a debdiff in case you prefer to build the package from
>source. We would appreciate it if you could test those packages and tell
>us if they fix your cpu load problem.
>
>[1] https://people.debian.org/~apo/tomcat8/
>
>Regards,
>
>Markus
>
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

[Markus Koschany]

On 13.02.2017 08:34, Moritz Mühlenhoff wrote:
> On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
>> Hi,
>>
>> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
>> the issue is related to our latest security updates. We would like to
>> address this regression as soon as possible because this one can be
>> triggered remotely and cause a denial-of-service.
>>
>> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
>> will update the changelogs later.
> 
> Thanks, please upload.

Thanks. Uploaded.




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#854551: Bug#851304: tomcat8 use 100% cpu time

[Moritz Mühlenhoff]

On Sun, Feb 12, 2017 at 09:38:31PM +0100, Markus Koschany wrote:
> Hi,
> 
> a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
> the issue is related to our latest security updates. We would like to
> address this regression as soon as possible because this one can be
> triggered remotely and cause a denial-of-service.
> 
> I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
> will update the changelogs later.

Thanks, please upload.

Cheers,
Moritz

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: tomcat8 use 100% cpu time

[Markus Koschany]

Hi,

a bug was reported against tomcat8 and tomcat7 in Jessie and it seems
the issue is related to our latest security updates. We would like to
address this regression as soon as possible because this one can be
triggered remotely and cause a denial-of-service.

I have attached the debdiffs for tomcat8 and tomcat7 to this email. I
will update the changelogs later.

Regards,

Markus
diff -Nru tomcat7-7.0.56/debian/changelog tomcat7-7.0.56/debian/changelog
--- tomcat7-7.0.56/debian/changelog 2017-01-05 18:16:41.0 +0100
+++ tomcat7-7.0.56/debian/changelog 2017-02-10 03:30:38.0 +0100
@@ -1,3 +1,10 @@
+tomcat7 (7.0.56-3+deb8u8) UNRELEASED; urgency=medium
+
+  * Team upload.
+  * Add BZ57544-infinite-loop.patch
+
+ -- Markus Koschany   Fri, 10 Feb 2017 03:30:38 +0100
+
 tomcat7 (7.0.56-3+deb8u7) jessie-security; urgency=high
 
   * Fixed CVE-2016-8745: A bug in the error handling of the send file code for
diff -Nru tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop.patch 
tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop.patch
--- tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop.patch   1970-01-01 
01:00:00.0 +0100
+++ tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop.patch   2017-02-10 
03:30:38.0 +0100
@@ -0,0 +1,48 @@
+From: Markus Koschany 
+Date: Fri, 10 Feb 2017 03:01:38 +0100
+Subject: BZ57544 infinite loop
+
+Bug-Upstream: https://bz.apache.org/bugzilla/show_bug.cgi?id=60578
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854551
+Origin: 
https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788
+---
+ java/org/apache/coyote/http11/AbstractInputBuffer.java | 16 
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java 
b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+index eda3609..a1251d6 100644
+--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java
 b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+@@ -225,15 +225,10 @@ public abstract class AbstractInputBuffer implements 
InputBuffer{
+ request.recycle();
+ 
+ // Copy leftover bytes to the beginning of the buffer
+-if (lastValid - pos > 0) {
+-int npos = 0;
+-int opos = pos;
+-while (lastValid - opos > opos - npos) {
+-System.arraycopy(buf, opos, buf, npos, opos - npos);
+-npos += pos;
+-opos += pos;
+-}
+-System.arraycopy(buf, opos, buf, npos, lastValid - opos);
++if (lastValid - pos > 0 && pos > 0) {
++System.arraycopy(buf, pos, buf, 0, lastValid - pos);
++lastValid = lastValid - pos;
++pos = 0;
+ }
+ 
+ // Recycle filters
+@@ -242,12 +237,9 @@ public abstract class AbstractInputBuffer implements 
InputBuffer{
+ }
+ 
+ // Reset pointers
+-lastValid = lastValid - pos;
+-pos = 0;
+ lastActiveFilter = -1;
+ parsingHeader = true;
+ swallowInput = true;
+-
+ }
+ 
+ 
diff -Nru tomcat7-7.0.56/debian/patches/series 
tomcat7-7.0.56/debian/patches/series
--- tomcat7-7.0.56/debian/patches/series2017-01-05 18:13:55.0 
+0100
+++ tomcat7-7.0.56/debian/patches/series2017-02-10 03:30:38.0 
+0100
@@ -38,3 +38,4 @@
 BZ-57377.patch
 CVE-2016-8735.patch
 CVE-2016-8745.patch
+BZ57544-infinite-loop.patch
diff -Nru tomcat8-8.0.14/debian/changelog tomcat8-8.0.14/debian/changelog
--- tomcat8-8.0.14/debian/changelog 2017-01-06 00:39:34.0 +0100
+++ tomcat8-8.0.14/debian/changelog 2017-02-10 01:08:51.0 +0100
@@ -1,3 +1,10 @@
+tomcat8 (8.0.14-1+deb8u7) UNRELEASED; urgency=medium
+
+  * Team upload.
+  * Add BZ57544-infinite-loop.patch
+
+ -- Markus Koschany   Fri, 10 Feb 2017 01:08:51 +0100
+
 tomcat8 (8.0.14-1+deb8u6) jessie-security; urgency=high
 
   * Fixed CVE-2016-8745: A bug in the error handling of the send file code for
diff -Nru tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop.patch 
tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop.patch
--- tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop.patch   1970-01-01 
01:00:00.0 +0100
+++ tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop.patch   2017-02-10 
01:08:51.0 +0100
@@ -0,0 +1,48 @@
+From: Markus Koschany 
+Date: Fri, 10 Feb 2017 01:06:54 +0100
+Subject: BZ57544 infinite loop
+
+Bug-Upstream: https://bz.apache.org/bugzilla/show_bug.cgi?id=60578
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851304
+Origin: 
https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788
+---
+ java/org/apache/coyote/http11/AbstractInputBuffer.java | 16 
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java 
b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+index 33d4b3b..2aef369 100644
+-

Bug#851304: tomcat8 use 100% cpu time

[Markus Koschany]

On 12.02.2017 11:24, Kai Moritz wrote:
> Hi Markus,
> 
> 
> I installed the updated packages (in my case only: libtomcat8-java,
> tomcat8-common and tomcat8) on three different servers. My private one,
> that serves only my own little projects, a test-server and a redundant
> production server at work.
> 
> It looks like they fix the reported issue on all three hosts and every
> thing else works as expected.

That's great to hear. Thank you very much Kai for taking your time to
test the packages and getting back to us.

Best,

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: tomcat8 use 100% cpu time

[Kai Moritz]

Hi Markus,


I installed the updated packages (in my case only: libtomcat8-java, 
tomcat8-common and tomcat8) on three different servers. My private one, 
that serves only my own little projects, a test-server and a redundant 
production server at work.


It looks like they fix the reported issue on all three hosts and every 
thing else works as expected.


I will keep monitoring the servers and report back, if I encounter 
anything strange.


Some days later I will also install the fixed packages on our 
production-server at work, if nothing has shown up on the servers, where 
the packages are already installed.


By the way:
During the installation of the three packages I noticed, that one of the 
three hosts has been vulnarable to the bug, even though the access to 
the HTTP-connector was restricted to one special client. That means, the 
bug can be exploited, even if one restricts the access to the port in 
the server.xml.



Regards,

kai

Am 10.02.2017 um 02:28 schrieb Markus Koschany:

Hello,

thank you for reporting this bug. We think we have found a solution for
this issue. I have uploaded new binary packages of Tomcat 8 for Debian
Jessie to [1] and a debdiff in case you prefer to build the package from
source. We would appreciate it if you could test those packages and tell
us if they fix your cpu load problem.

[1] https://people.debian.org/~apo/tomcat8/

Regards,

Markus



--
juplo
Inhaber: Kai Moritz

Tel: +49 (0)176 20 50 47 47
k...@juplo.de
http://juplo.de

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: tomcat8 use 100% cpu time

[Richard Jobin]

I will give it a try as soon as possible.

I would be glad to help

RickLinux

On Feb 9, 2017 8:28 PM, "Markus Koschany"  wrote:

> Hello,
>
> thank you for reporting this bug. We think we have found a solution for
> this issue. I have uploaded new binary packages of Tomcat 8 for Debian
> Jessie to [1] and a debdiff in case you prefer to build the package from
> source. We would appreciate it if you could test those packages and tell
> us if they fix your cpu load problem.
>
> [1] https://people.debian.org/~apo/tomcat8/
>
> Regards,
>
> Markus
>
>
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: tomcat8 use 100% cpu time

[Markus Koschany]

Hello,

thank you for reporting this bug. We think we have found a solution for
this issue. I have uploaded new binary packages of Tomcat 8 for Debian
Jessie to [1] and a debdiff in case you prefer to build the package from
source. We would appreciate it if you could test those packages and tell
us if they fix your cpu load problem.

[1] https://people.debian.org/~apo/tomcat8/

Regards,

Markus



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: tomcat8 use 100% cpu time

[Emmanuel Bourg]

Le 8/02/2017 à 15:52, Markus Koschany a écrit :

> it appears that Tomcat 7 and 8 in Jessie and Wheezy are affected by this
> bug. Are you still working on it or shall I prepare updates for
> -security based on the upstream patch from
> 
> https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788#diff-2aeb244142da5fcb78a54e23f717fcd2

Hi Markus,

Feel free to prepare the update, I'm rather busy atm and I won't be able
to work on this before this weekend. I was considering uploading a
stable update but it won't be immediately available. A security update
would be faster but I don't know if the security team would accept it.

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: tomcat8 use 100% cpu time - confirmation

[Markus Koschany]

Looks like this is the proposed upstream fix:

https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788#diff-2aeb244142da5fcb78a54e23f717fcd2



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: tomcat8 use 100% cpu time - confirmation

[Markus Koschany]

Control: forwarded -1 https://bz.apache.org/bugzilla/show_bug.cgi?id=60578

I am marking this bug as forwarded in case someone is wondering about
the current progress. Apparently Emmanuel is already working on an update.




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: tomcat8 use 100% cpu time - confirmation

[Kai Moritz]

Dear Maintainer,


I can confirm the observations of RickLinux.

I have observed the exact same behaviour on several debian-hosts, that
are running Jessie with the version 8.0.14-1+deb8u6 of the
tomcat-packages (and also u4 and u5).


In my case, the effect is triggered by scans, that hit the servers that
I am administering at random. Each scan can be seen in the LOG-files
with an entry like:

62.210.246.66 - - [18/Jan/2017:16:20:16 +0100] "-" 400 -

Each hit leads to one cpu hogging 100%. Hence, if the machine has only
one cpu, one hit leads to an DOS, if it has for example 8 cpu's, 8 hits
are needed.

At first glance, I thought, that the scans are running a specialized
DOS-attack. But after I read the bug-report of RickLinux I produced the
exact same behaviour with an https-GET on the port, where tomcat is
listening for http-connections.

Like RickLinux I also tested a vanilla 8.0.14 Tomcat and found, that it
does not show this behavior.


Kind Regards

Kai Moritz

-- 
juplo
Inhaber: Kai Moritz

Tel: +49 (0)176 20 50 47 47
k...@juplo.de
http://juplo.de

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#851304: tomcat8 use 100% cpu time

[RickLinux]

Package: tomcat8
Version: 8.0.14-1+deb8u6
Severity: important

Dear Maintainer,

I noticed a bump in CPU load up to 100% per CPU.
It appear from tomcat8-8.0.14-1+deb8u4 and up.

Here how to create the bug.

http://localhost:8080, no problem.
https://localhost:8443, no problem (need to create a certificate).
https://localhost:8080, 100% cpu load.

I use default config coming from stable without any modification to them.
The problem still exist.

If it can help, I tried with apache-tomcat-8.0.39 from apache's site and
the server operate normaly even if I try the requests above.

RickLinux

-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages tomcat8 depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.56
ii  tomcat8-common 8.0.14-1+deb8u6
ii  ucf3.0030

Versions of packages tomcat8 recommends:
ii  authbind  2.1.1

Versions of packages tomcat8 suggests:
pn  libtcnative-1 
pn  tomcat8-admin 
pn  tomcat8-docs  
pn  tomcat8-examples  
pn  tomcat8-user  

-- debconf information:
  tomcat8/groupname: tomcat8
  tomcat8/javaopts: -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC
  tomcat8/username: tomcat8

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.