Bug#854551: tomcat7: Remote https GET requests to Tomcat7 with default config cause server cpu to jump 100% forever
Marco
mailservizivari at gmail.com
Wed Feb 8 10:02:07 UTC 2017
Package: tomcat7
Version: 7.0.56-3+deb8u7
Severity: important
Dear Maintainer,
sending a simple https get request to tomcat 7 on Debian 8 with the
default configuration, makes the cpu jump to 100% and stay there for
hours making the server slow.
If I restart tomcat server the cpu goes again to 1%.
No custom java applications are installed on tomcat.
Logs: Watching catalina.out I found this error message in corrispondence
to the cpu pitch start
org.apache.coyote.http11.AbstractHttp11Processor process INFO: Error
parsing HTTP request header
How to replicate:
- Create a Debian 8 VM Instance on Google Compute Engine
- sudo apt-get update
- sudo apt-get upgrade
- sudo apt-get install tomcat7 apache2
- open a browser and go to https://serverip:8080 and the server cpu
start going 100% and stay there for hours.
I'm using a fresh debian 8 default image from Google Compute Engine but
it's possibile that the bug happens with physical machines too.
This can be a security issue because it's possible to ddos a server with
Tomcat7 and Debian 8 simply sending https remote requests
Searching on the web, I see this bug report, maybe can be useful, maybe not:
https://bz.apache.org/bugzilla/show_bug.cgi?id=57544
Install the Debian backports version of Tomcat 7.0.75 solve the issue
but it will be great if this issue can be solved on stable too.
Best Regards
Marco
-- System Information:
Debian Release: 8.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages tomcat7 depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.56
ii tomcat7-common 7.0.56-3+deb8u7
ii ucf 3.0030
Versions of packages tomcat7 recommends:
ii authbind 2.1.1
Versions of packages tomcat7 suggests:
pn libtcnative-1 <none>
pn tomcat7-admin <none>
pn tomcat7-docs <none>
pn tomcat7-examples <none>
pn tomcat7-user <none>
-- Configuration Files:
/etc/tomcat7/catalina.properties [Errno 13] Permission denied:
u'/etc/tomcat7/catalina.properties'
/etc/tomcat7/context.xml [Errno 13] Permission denied:
u'/etc/tomcat7/context.xml'
/etc/tomcat7/logging.properties [Errno 13] Permission denied:
u'/etc/tomcat7/logging.properties'
/etc/tomcat7/policy.d/01system.policy [Errno 13] Permission denied:
u'/etc/tomcat7/policy.d/01system.policy'
/etc/tomcat7/policy.d/02debian.policy [Errno 13] Permission denied:
u'/etc/tomcat7/policy.d/02debian.policy'
/etc/tomcat7/policy.d/03catalina.policy [Errno 13] Permission denied:
u'/etc/tomcat7/policy.d/03catalina.policy'
/etc/tomcat7/policy.d/04webapps.policy [Errno 13] Permission denied:
u'/etc/tomcat7/policy.d/04webapps.policy'
/etc/tomcat7/policy.d/50local.policy [Errno 13] Permission denied:
u'/etc/tomcat7/policy.d/50local.policy'
/etc/tomcat7/server.xml [Errno 13] Permission denied:
u'/etc/tomcat7/server.xml'
/etc/tomcat7/tomcat-users.xml [Errno 13] Permission denied:
u'/etc/tomcat7/tomcat-users.xml'
/etc/tomcat7/web.xml [Errno 13] Permission denied: u'/etc/tomcat7/web.xml'
-- debconf information:
tomcat7/javaopts: -Djava.awt.headless=true -Xmx128m
-XX:+UseConcMarkSweepGC
tomcat7/groupname: tomcat7
tomcat7/username: tomcat7
More information about the pkg-java-maintainers
mailing list