Bug 1266356 - Commons HttpClient can hang during SSLHandshake
Commons HttpClient can hang during SSLHandshake
Status: CLOSED ERRATA
Product: JBoss Operations Network
Classification: JBoss
Component: Plugin -- Other (Show other bugs)
JON 3.3.3
Unspecified Unspecified
unspecified Severity medium
: CR01
: JON 3.3.6
Assigned To: Simeon Pinder
Filip Brychta
: Triaged
Depends On: 1341348
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-25 02:14 EDT by Jason Shepherd
Modified: 2016-07-27 11:30 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-27 11:30:56 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
reproducer (3.61 KB, text/x-csrc)
2015-09-25 02:16 EDT, Jason Shepherd
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 1261538 None None None Never

  None (edit)
Description Jason Shepherd 2015-09-25 02:14:08 EDT
Description of problem:

The version of Commons HttpClient shipped in JON, and used by rhq-rh-access.war, and the plugins can cause a server thread to become unresponsive during SSLHandshake. See upstream bug for more details:

   https://issues.apache.org/jira/browse/HTTPCLIENT-1478


Version-Release number of selected component (if applicable):

   httpclient 4.3.2

How reproducible:

   Run the attached reproducer and observe that the SocketTimeout setting is ignored.

Steps to Reproduce:
1. Compile the attached reproducer with:

   javac -classpath /path/to/httpcore.jar:/path/to/httpclient.jar \
     ClientTimeout43.java

2. Run it with:

   java -classpath /path/to/httpcore.jar:/path/to/httpclient.jar:/usr/share/java/commons-logging.jar:/usr/share/java/commons-logging-api.jar:. \
     ClientTimeout43

Actual results:

  FAIL

Expected results:

  PASS


Additional info:

  This was raised to the me as CVE-2015-5262, which I attached to this bug. However it doesn't seem to be exploitable at will, so I'm not raising a security tracker bug for it.
Comment 1 Jason Shepherd 2015-09-25 02:16 EDT
Created attachment 1076874 [details]
reproducer
Comment 5 Simeon Pinder 2016-07-07 04:22:55 EDT
Moving to ON_QA as available to test with the following build:
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=502442

Note: 	jon-server-patch-3.3.0.GA.zip maps to JON 3.3.6(jon-server-3.3.0.GA-update-06.zip)
Comment 6 vsorokin 2016-07-08 13:22:37 EDT
"I'm not sure if I understand the fix correctly but it seems the issue is not resolved."

While verification: according "to confirm that rhq-rq-access web application is no longer included in the list of applications hosted by JON with the ear".

== server.log
---
logs/server.log.2016-07-07:08:36:03,609 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-4) JBAS015876: Starting deployment of "null" (runtime-name: "rhq-rh-access.war")
logs/server.log.2016-07-07:08:36:38,136 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-1) JBAS015877: Stopped deployment null (runtime-name: rhq-rh-access.war) in 1043ms
logs/server.log.2016-07-07:08:37:33,772 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-2) JBAS015876: Starting deployment of "null" (runtime-name: "rhq-rh-access.war")
logs/server.log.2016-07-07:08:40:50,218 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015877: Stopped deployment null (runtime-name: rhq-rh-access.war) in 1138ms
---

Application "rhq-rh-access" started along with others, so it couldn't be considered as 'surely non-deployable'.

Reproducer 'ClientTimeout43.java' still shows 'FAIL' while running.

Seems BZ status should be 'REJECTED' or 'ASSIGNED'
Comment 7 vsorokin 2016-07-08 13:24:10 EDT
[hudson@vso-jon-latest work]$ java -cp httpcore-4.3.2.jar:httpclient-4.3.2.jar:commons-logging.jar:commons-logging-api.jar:. ClientTimeout43
FAIL
Comment 12 errata-xmlrpc 2016-07-27 11:30:56 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-1519.html

Note You need to log in before you can comment on or make changes to this bug.