Red Hat Bugzilla – Bug 1266356
Commons HttpClient can hang during SSLHandshake
Last modified: 2016-07-27 11:30:56 EDT
Description of problem:
The version of Commons HttpClient shipped in JON, and used by rhq-rh-access.war, and the plugins can cause a server thread to become unresponsive during SSLHandshake. See upstream bug for more details:
Version-Release number of selected component (if applicable):
Run the attached reproducer and observe that the SocketTimeout setting is ignored.
Steps to Reproduce:
1. Compile the attached reproducer with:
javac -classpath /path/to/httpcore.jar:/path/to/httpclient.jar \
2. Run it with:
java -classpath /path/to/httpcore.jar:/path/to/httpclient.jar:/usr/share/java/commons-logging.jar:/usr/share/java/commons-logging-api.jar:. \
This was raised to the me as CVE-2015-5262, which I attached to this bug. However it doesn't seem to be exploitable at will, so I'm not raising a security tracker bug for it.
Created attachment 1076874 [details]
Moving to ON_QA as available to test with the following build:
Note: jon-server-patch-3.3.0.GA.zip maps to JON 3.3.6(jon-server-3.3.0.GA-update-06.zip)
"I'm not sure if I understand the fix correctly but it seems the issue is not resolved."
While verification: according "to confirm that rhq-rq-access web application is no longer included in the list of applications hosted by JON with the ear".
logs/server.log.2016-07-07:08:36:03,609 INFO [org.jboss.as.server.deployment] (MSC service thread 1-4) JBAS015876: Starting deployment of "null" (runtime-name: "rhq-rh-access.war")
logs/server.log.2016-07-07:08:36:38,136 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) JBAS015877: Stopped deployment null (runtime-name: rhq-rh-access.war) in 1043ms
logs/server.log.2016-07-07:08:37:33,772 INFO [org.jboss.as.server.deployment] (MSC service thread 1-2) JBAS015876: Starting deployment of "null" (runtime-name: "rhq-rh-access.war")
logs/server.log.2016-07-07:08:40:50,218 INFO [org.jboss.as.server.deployment] (MSC service thread 1-3) JBAS015877: Stopped deployment null (runtime-name: rhq-rh-access.war) in 1138ms
Application "rhq-rh-access" started along with others, so it couldn't be considered as 'surely non-deployable'.
Reproducer 'ClientTimeout43.java' still shows 'FAIL' while running.
Seems BZ status should be 'REJECTED' or 'ASSIGNED'
[hudson@vso-jon-latest work]$ java -cp httpcore-4.3.2.jar:httpclient-4.3.2.jar:commons-logging.jar:commons-logging-api.jar:. ClientTimeout43
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.