Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] OOM by huge header size attack: setResponseHeaderSize won't work

Setting .setResponseHeaderSize() has no effect on the Request header size/limit behavior.
Try using .setRequestHeaderSize() instead.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Mar 23, 2017 at 10:20 AM, Conan <yk.cadcg@xxxxxxxxx> wrote:


  We use NiFi which embeds Jetty Server. Our test team found a security bug by intercepting the http request and replacing the header with a huge (say 1GB) text, which sent the response to NCM, which got OOM:

2017-03-07 03:44:03,522 WARN [NiFi Web Server-22] o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for [id=99a65e79-b856-4e43-9056-1451714498fc, apiAddress=, apiPort=38484, socketAddress=, socketPort=39494, siteToSiteAddress=, siteToSitePort=null] encountered exception: java.util.concurrent.ExecutionException: java.lang.OutOfMemoryError: Java heap space

 We tried setResponseHeaderSize here but it didn't seem to work: it seems to us that the huge fake header got received before this limit takes effect, as a result, the NCM got OOM in the first place.

Are we missing anything, or is there a potential bug with setResponseHeaderSize, please?


jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top