Description of problem: The version of Commons HttpClient shipped in JON, and used by rhq-rh-access.war, and the plugins can cause a server thread to become unresponsive during SSLHandshake. See upstream bug for more details: https://issues.apache.org/jira/browse/HTTPCLIENT-1478 Version-Release number of selected component (if applicable): httpclient 4.3.2 How reproducible: Run the attached reproducer and observe that the SocketTimeout setting is ignored. Steps to Reproduce: 1. Compile the attached reproducer with: javac -classpath /path/to/httpcore.jar:/path/to/httpclient.jar \ ClientTimeout43.java 2. Run it with: java -classpath /path/to/httpcore.jar:/path/to/httpclient.jar:/usr/share/java/commons-logging.jar:/usr/share/java/commons-logging-api.jar:. \ ClientTimeout43 Actual results: FAIL Expected results: PASS Additional info: This was raised to the me as CVE-2015-5262, which I attached to this bug. However it doesn't seem to be exploitable at will, so I'm not raising a security tracker bug for it.
Created attachment 1076874 [details] reproducer
Moving to ON_QA as available to test with the following build: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=502442 Note: jon-server-patch-3.3.0.GA.zip maps to JON 3.3.6(jon-server-3.3.0.GA-update-06.zip)
"I'm not sure if I understand the fix correctly but it seems the issue is not resolved." While verification: according "to confirm that rhq-rq-access web application is no longer included in the list of applications hosted by JON with the ear". == server.log --- logs/server.log.2016-07-07:08:36:03,609 INFO [org.jboss.as.server.deployment] (MSC service thread 1-4) JBAS015876: Starting deployment of "null" (runtime-name: "rhq-rh-access.war") logs/server.log.2016-07-07:08:36:38,136 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) JBAS015877: Stopped deployment null (runtime-name: rhq-rh-access.war) in 1043ms logs/server.log.2016-07-07:08:37:33,772 INFO [org.jboss.as.server.deployment] (MSC service thread 1-2) JBAS015876: Starting deployment of "null" (runtime-name: "rhq-rh-access.war") logs/server.log.2016-07-07:08:40:50,218 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015877: Stopped deployment null (runtime-name: rhq-rh-access.war) in 1138ms --- Application "rhq-rh-access" started along with others, so it couldn't be considered as 'surely non-deployable'. Reproducer 'ClientTimeout43.java' still shows 'FAIL' while running. Seems BZ status should be 'REJECTED' or 'ASSIGNED'
[hudson@vso-jon-latest work]$ java -cp httpcore-4.3.2.jar:httpclient-4.3.2.jar:commons-logging.jar:commons-logging-api.jar:. ClientTimeout43 FAIL
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-1519.html