Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] OOM by huge header size attack: setResponseHeaderSize won't work

Are other applications vulnerable if they embed Jetty (though a newer version) and not make this call on the request? Must it be done per request or is it something can  be done server wide on startup? 

On Mar 23, 2017 6:25 PM, "Joakim Erdfelt" <joakim@xxxxxxxxxxx> wrote:
Setting .setResponseHeaderSize() has no effect on the Request header size/limit behavior.
Try using .setRequestHeaderSize() instead.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Mar 23, 2017 at 10:20 AM, Conan <yk.cadcg@xxxxxxxxx> wrote:


Folks,

  We use NiFi which embeds Jetty Server. Our test team found a security bug by intercepting the http request and replacing the header with a huge (say 1GB) text, which sent the response to NCM, which got OOM:

2017-03-07 03:44:03,522 WARN [NiFi Web Server-22] o.a.n.c.m.impl.HttpRequestReplicatorImpl Node request for [id=99a65e79-b856-4e43-9056-1451714498fc, apiAddress=129.188.35.109, apiPort=38484, socketAddress=129.188.35.109, socketPort=39494, siteToSiteAddress=129.188.35.109, siteToSitePort=null] encountered exception: java.util.concurrent.ExecutionException: java.lang.OutOfMemoryError: Java heap space


 We tried setResponseHeaderSize here http://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/HttpConfiguration.html#setResponseHeaderSize-int- but it didn't seem to work: it seems to us that the huge fake header got received before this limit takes effect, as a result, the NCM got OOM in the first place.

Are we missing anything, or is there a potential bug with setResponseHeaderSize, please?


Thanks,
Conan&Sherry


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Back to the top