Re: Response mixed between users with mod_jk-1.2.40
Philippe Mouawad wrote: Hello, Any feedback on this ? Thanks Hi. I don't think that you should reasonably expect any feedback. It is not that people here do not want to help, but your version of Tomcat is so hopelessly outdated (2007 ?)(see: https://tomcat.apache.org/whichversion.html) that it would cost them a lot of time, and time is something that most of them don't have too much of. So they concentrate on the latest versions, because for that there is a chance that they still have a similar system somewhere, or remember the issue and how to fix it. Your best hope is to search the Tomcat list archives (see https://tomcat.apache.org/lists.html), for something that looks like a similar issue. But if it is a Tomcat issue, the result will probably be that you need to upgrade your Tomcat to solve it. On Sun, Sep 7, 2014 at 11:49 PM, Philippe Mouawad philippe.moua...@gmail.com wrote: Hello, I am working currently on an issue where an application is facing either Response mix or Session mix. For example: 1/ a user A gets the basket of customer B when going on basket detail (response mix) 2/ Cookies also get mixed up, more of session mix in this case The versions of components are the following: - Load Balancer = modjk_1.2.40 = Tomcat 5.5.23 (Yes very old) I have made some searches on bug database and found this issue which seems similar: - https://issues.apache.org/bugzilla/show_bug.cgi?id=47714 But the issue is in state WORKSFORME so it is not a bug AFAIU. Also issue seems to be related to a bug fix that occured in mod_jk 1.2.27 : AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) What makes me say this is that there is a JBoss solution document that says this: https://access.redhat.com/solutions/19239 There is a known bug in mod_jk versions 1.2.26 and below that can cause session crosstalk AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) So with version 1.2.40 no issue should remain Afaik. So I have 3 questions: 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? 2) The issue was related to a security problem, but how response mix did occur ? 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? I am besides this investigating load balancer and application issues. Thanks for help Regards Philippe M. -- Cordialement. Philippe Mouawad. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Response mixed between users with mod_jk-1.2.40
Hello André, I understand your answer although my 3 questions are also related to current version of Tomcat. I was hoping that the person who fixed the issue could explain how the problem occured. To recap my 3 questions : 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? I suppose that if I upgrade to last 6.X it should be fine (Cannot upgrade for now to 7 or 8) 2) The issue was related to a security problem, but how response mix did occur ? This one is more to understand technically the issue 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? This one still concerns modern versions of Tomcat. Anyway thanks for answer. Regards Philippe On Thu, Sep 25, 2014 at 12:02 PM, André Warnier a...@ice-sa.com wrote: Philippe Mouawad wrote: Hello, Any feedback on this ? Thanks Hi. I don't think that you should reasonably expect any feedback. It is not that people here do not want to help, but your version of Tomcat is so hopelessly outdated (2007 ?)(see: https://tomcat.apache.org/ whichversion.html) that it would cost them a lot of time, and time is something that most of them don't have too much of. So they concentrate on the latest versions, because for that there is a chance that they still have a similar system somewhere, or remember the issue and how to fix it. Your best hope is to search the Tomcat list archives (see https://tomcat.apache.org/lists.html), for something that looks like a similar issue. But if it is a Tomcat issue, the result will probably be that you need to upgrade your Tomcat to solve it. On Sun, Sep 7, 2014 at 11:49 PM, Philippe Mouawad philippe.moua...@gmail.com wrote: Hello, I am working currently on an issue where an application is facing either Response mix or Session mix. For example: 1/ a user A gets the basket of customer B when going on basket detail (response mix) 2/ Cookies also get mixed up, more of session mix in this case The versions of components are the following: - Load Balancer = modjk_1.2.40 = Tomcat 5.5.23 (Yes very old) I have made some searches on bug database and found this issue which seems similar: - https://issues.apache.org/bugzilla/show_bug.cgi?id=47714 But the issue is in state WORKSFORME so it is not a bug AFAIU. Also issue seems to be related to a bug fix that occured in mod_jk 1.2.27 : AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) What makes me say this is that there is a JBoss solution document that says this: https://access.redhat.com/solutions/19239 There is a known bug in mod_jk versions 1.2.26 and below that can cause session crosstalk AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) So with version 1.2.40 no issue should remain Afaik. So I have 3 questions: 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? 2) The issue was related to a security problem, but how response mix did occur ? 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? I am besides this investigating load balancer and application issues. Thanks for help Regards Philippe M. -- Cordialement. Philippe Mouawad. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Cordialement. Philippe Mouawad.
Re: Response mixed between users with mod_jk-1.2.40
Philippe Mouawad wrote: Hello André, I understand your answer although my 3 questions are also related to current version of Tomcat. Ok, then, to increase your chances of getting a response : - download and setup a current version of Tomcat - reproduce the issue in that one - and repost your question mentioning that version of mod_jk and Tomcat Understand : the issue as you describe it could be in mod_jk, but it also /could be/ some bug in Tomcat 5.5.x, that has been already corrected in one of the very many Tomcat versions since that one (50 ? 100?). Before anyone is going to even look at it, /you/ will have to convince them that it is probably not the case. Or else, find a $consultant that will do that research for you. But that's just me saying. I am just trying to help, by helping you to avoid losing time waiting. But you are welcome to keep on trying and prove me wrong. I was hoping that the person who fixed the issue could explain how the problem occured. To recap my 3 questions : 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? I suppose that if I upgrade to last 6.X it should be fine (Cannot upgrade for now to 7 or 8) 2) The issue was related to a security problem, but how response mix did occur ? This one is more to understand technically the issue 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? This one still concerns modern versions of Tomcat. Anyway thanks for answer. Regards Philippe On Thu, Sep 25, 2014 at 12:02 PM, André Warnier a...@ice-sa.com wrote: Philippe Mouawad wrote: Hello, Any feedback on this ? Thanks Hi. I don't think that you should reasonably expect any feedback. It is not that people here do not want to help, but your version of Tomcat is so hopelessly outdated (2007 ?)(see: https://tomcat.apache.org/ whichversion.html) that it would cost them a lot of time, and time is something that most of them don't have too much of. So they concentrate on the latest versions, because for that there is a chance that they still have a similar system somewhere, or remember the issue and how to fix it. Your best hope is to search the Tomcat list archives (see https://tomcat.apache.org/lists.html), for something that looks like a similar issue. But if it is a Tomcat issue, the result will probably be that you need to upgrade your Tomcat to solve it. On Sun, Sep 7, 2014 at 11:49 PM, Philippe Mouawad philippe.moua...@gmail.com wrote: Hello, I am working currently on an issue where an application is facing either Response mix or Session mix. For example: 1/ a user A gets the basket of customer B when going on basket detail (response mix) 2/ Cookies also get mixed up, more of session mix in this case The versions of components are the following: - Load Balancer = modjk_1.2.40 = Tomcat 5.5.23 (Yes very old) I have made some searches on bug database and found this issue which seems similar: - https://issues.apache.org/bugzilla/show_bug.cgi?id=47714 But the issue is in state WORKSFORME so it is not a bug AFAIU. Also issue seems to be related to a bug fix that occured in mod_jk 1.2.27 : AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) What makes me say this is that there is a JBoss solution document that says this: https://access.redhat.com/solutions/19239 There is a known bug in mod_jk versions 1.2.26 and below that can cause session crosstalk AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) So with version 1.2.40 no issue should remain Afaik. So I have 3 questions: 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? 2) The issue was related to a security problem, but how response mix did occur ? 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? I am besides this investigating load balancer and application issues. Thanks for help Regards Philippe M. -- Cordialement. Philippe Mouawad. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail:
Re: Response mixed between users with mod_jk-1.2.40
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Phillipe, On 9/7/14 5:49 PM, Philippe Mouawad wrote: I am working currently on an issue where an application is facing either Response mix or Session mix. For example: 1/ a user A gets the basket of customer B when going on basket detail (response mix) 2/ Cookies also get mixed up, more of session mix in this case The versions of components are the following: - Load Balancer = modjk_1.2.40 = Tomcat 5.5.23 (Yes very old) Yikes. 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? No. mod_jk uses AJP13 protocol which all reasonably recent versions of Tomcat (including 5.5!) support. Upgrading mod_jk should not be a problem for you. 2) The issue was related to a security problem, but how response mix did occur ? You'd have to read a whole lot more about the bug to understand that. I'll paraphrase a recent statement: this isn't a Hacking 101 course. 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? I'm not sure. If we knew what the issue was, we probably would have fixed it by now. Note that the resolution was WORKSFORME but it has recently been re-opened along with some code that allegedly reproduces the behavior. I haven't tried it myself, though. I am besides this investigating load balancer and application issues. So you are experiencing response mix-ups as well? If so, please add anything you can to that bug report. Of course, only after upgrading to the most recent version of mod_jk. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUJBE4AAoJEBzwKT+lPKRYLf8P/3lNsLdqxFWUt6htMqGaYFtl rd3BcJw1ZepuzRFqfWaS8qvB5xV9/ZrbNQjSHk8r98ItvikM7wrbrCt24CX/WpvW JrS+RnrirL2bmSM8Anvp3/akGnl+pbkUKz3DxqSHqT/T1MMLUU0hn3XwsZ/Sfhqq Myg7jsODxVbYJWoXVx7IDYWTnd3JCXFCE+QUXX195QUY0iMNc5/eucpu/OtokZ6R HnSjDZCtq2EKFFk/eXywUzBXpbNG9tmg4aTD0+VOsrnDVhFoWbAyQEe9NI2xTqpb CiR9umcmAg3LxRUMLOXec3qdS6UQMzv7GXOCJ7JA5mI5EgV5GE/PFq+dbuGfNKNh +gU17k9uypCtzgcG9e2J7guiYc24ZJ5W5ILtElfBwoyHXoW57iW57GOx0T0PdZge 7NUCc3naBRjfjnWV77E1QKbeqKYnwQBAZdShTBChJVSQYsgOGPn6IqeILqn7za4d P4bW+3v2qQPE9AeEYI+vKM3juy+hcsOK6vs8wKPDYhRxo+zc7ArwPfjZ1ry6MoPX 1o3J0sYMEELrP786uoDILuKFNJ38outxBIiZ7Ce+KLyZBaUiGTqacD5zwevLwAS2 w4GeJixYxKoQbUP90nBLdZMERM7ZJqFY7+1RWLiWkysMis8p0KiBt15reGATpD22 Wvmxu6q9eMFaaU5DIKHF =nPPd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Response mixed between users with mod_jk-1.2.40
Hi Guys, Thanks for your feedback. @André, I am working (not continually on the issue) on the issue, my mail (sent the day I started working on it) was just to have some additional analysis elements. I am happy to see bug has evolved and I followed the same exact path that one of the guys mentions, which is using a Load Test with a bit modified script to detect JSESSIONID mix. But unfortunately I didn't reproduce it. I will be working on it again this friday and will give as much feedback as I can. Regarding upgrade to last Tomcat version , it is unfortunately not a short term option but it is not excluded, as you know in enterprise world moving UP a version for a big application is not an easy thing. Regarding the $consultant and the time , I can understand as I am also working on my spare time at Apache :-) @Christopher, we are already IN PROD on 1.2.40 of mod_jk and issue is happening. But we don't have yet the optimal (no retry) config in PROD, the first thing we will do is apply it on Load Test Env then prod to see if issue persists. Unfortunately reading further comments on bug, I see even after fixing this, issue persists (but will do it to be sure), and disabling connection reuse does not seem to be a good option on perf side, but it gives a hint that maybe the reused connection is not correctly cleaned up which could explain the response mix. Regarding content length mentionned in bug , AFAIU this should be controlled by Tomcat (except for certain kind of responses like PDF generation where it is usually set by custom code). Thanks all for your answers. Regards On Thu, Sep 25, 2014 at 2:57 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Phillipe, On 9/7/14 5:49 PM, Philippe Mouawad wrote: I am working currently on an issue where an application is facing either Response mix or Session mix. For example: 1/ a user A gets the basket of customer B when going on basket detail (response mix) 2/ Cookies also get mixed up, more of session mix in this case The versions of components are the following: - Load Balancer = modjk_1.2.40 = Tomcat 5.5.23 (Yes very old) Yikes. 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? No. mod_jk uses AJP13 protocol which all reasonably recent versions of Tomcat (including 5.5!) support. Upgrading mod_jk should not be a problem for you. 2) The issue was related to a security problem, but how response mix did occur ? You'd have to read a whole lot more about the bug to understand that. I'll paraphrase a recent statement: this isn't a Hacking 101 course. 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? I'm not sure. If we knew what the issue was, we probably would have fixed it by now. Note that the resolution was WORKSFORME but it has recently been re-opened along with some code that allegedly reproduces the behavior. I haven't tried it myself, though. I am besides this investigating load balancer and application issues. So you are experiencing response mix-ups as well? If so, please add anything you can to that bug report. Of course, only after upgrading to the most recent version of mod_jk. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUJBE4AAoJEBzwKT+lPKRYLf8P/3lNsLdqxFWUt6htMqGaYFtl rd3BcJw1ZepuzRFqfWaS8qvB5xV9/ZrbNQjSHk8r98ItvikM7wrbrCt24CX/WpvW JrS+RnrirL2bmSM8Anvp3/akGnl+pbkUKz3DxqSHqT/T1MMLUU0hn3XwsZ/Sfhqq Myg7jsODxVbYJWoXVx7IDYWTnd3JCXFCE+QUXX195QUY0iMNc5/eucpu/OtokZ6R HnSjDZCtq2EKFFk/eXywUzBXpbNG9tmg4aTD0+VOsrnDVhFoWbAyQEe9NI2xTqpb CiR9umcmAg3LxRUMLOXec3qdS6UQMzv7GXOCJ7JA5mI5EgV5GE/PFq+dbuGfNKNh +gU17k9uypCtzgcG9e2J7guiYc24ZJ5W5ILtElfBwoyHXoW57iW57GOx0T0PdZge 7NUCc3naBRjfjnWV77E1QKbeqKYnwQBAZdShTBChJVSQYsgOGPn6IqeILqn7za4d P4bW+3v2qQPE9AeEYI+vKM3juy+hcsOK6vs8wKPDYhRxo+zc7ArwPfjZ1ry6MoPX 1o3J0sYMEELrP786uoDILuKFNJ38outxBIiZ7Ce+KLyZBaUiGTqacD5zwevLwAS2 w4GeJixYxKoQbUP90nBLdZMERM7ZJqFY7+1RWLiWkysMis8p0KiBt15reGATpD22 Wvmxu6q9eMFaaU5DIKHF =nPPd -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Cordialement. Philippe Mouawad.
Re: Response mixed between users with mod_jk-1.2.40
Hello, Any feedback on this ? Thanks On Sun, Sep 7, 2014 at 11:49 PM, Philippe Mouawad philippe.moua...@gmail.com wrote: Hello, I am working currently on an issue where an application is facing either Response mix or Session mix. For example: 1/ a user A gets the basket of customer B when going on basket detail (response mix) 2/ Cookies also get mixed up, more of session mix in this case The versions of components are the following: - Load Balancer = modjk_1.2.40 = Tomcat 5.5.23 (Yes very old) I have made some searches on bug database and found this issue which seems similar: - https://issues.apache.org/bugzilla/show_bug.cgi?id=47714 But the issue is in state WORKSFORME so it is not a bug AFAIU. Also issue seems to be related to a bug fix that occured in mod_jk 1.2.27 : AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) What makes me say this is that there is a JBoss solution document that says this: https://access.redhat.com/solutions/19239 There is a known bug in mod_jk versions 1.2.26 and below that can cause session crosstalk AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) So with version 1.2.40 no issue should remain Afaik. So I have 3 questions: 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? 2) The issue was related to a security problem, but how response mix did occur ? 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? I am besides this investigating load balancer and application issues. Thanks for help Regards Philippe M. -- Cordialement. Philippe Mouawad. -- Cordialement. Philippe Mouawad.
Response mixed between users with mod_jk-1.2.40
Hello, I am working currently on an issue where an application is facing either Response mix or Session mix. For example: 1/ a user A gets the basket of customer B when going on basket detail (response mix) 2/ Cookies also get mixed up, more of session mix in this case The versions of components are the following: - Load Balancer = modjk_1.2.40 = Tomcat 5.5.23 (Yes very old) I have made some searches on bug database and found this issue which seems similar: - https://issues.apache.org/bugzilla/show_bug.cgi?id=47714 But the issue is in state WORKSFORME so it is not a bug AFAIU. Also issue seems to be related to a bug fix that occured in mod_jk 1.2.27 : AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) What makes me say this is that there is a JBoss solution document that says this: https://access.redhat.com/solutions/19239 There is a known bug in mod_jk versions 1.2.26 and below that can cause session crosstalk AJP13: [CVE-2008-5519] Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk) So with version 1.2.40 no issue should remain Afaik. So I have 3 questions: 1) Does the fix in mod_jk require an upgrade to a particular tomcat version ? 2) The issue was related to a security problem, but how response mix did occur ? 3) The Bug 47714 close as Worksforme is not clear for me. Is it possible that non optimal config can lead to this issue, for example: - Not setting recovery_options ? what would be the technical explanation ? Request would be retried but how mix would occur ? I am besides this investigating load balancer and application issues. Thanks for help Regards Philippe M. -- Cordialement. Philippe Mouawad.
