Memory leak in org.jboss.com.sun.net.httpserver.Headers

Solution Verified - Updated 2 Aug 2024

Environment

JBoss Enterprise Application Platform (EAP) 6.x

Issue

We see memory growth in the org.jboss.com.sun.net.httpserver.Headers class. This class appears to be full of garbage data, not actual request headers.
Is our JBoss vulnerable to CVE-2015-5220?

Resolution

Ensure only proper HTTP connections are made to the http management console port from trusted clients. Protect the port access via firewall.
Apply the EAP This content is not included.6.4.4 or later update. All prior EAP 6 releases are impacted.

Root Cause

The EAP http management console port is receiving connections from other services that aren't talking HTTP, filling headers up with data.
A malicious client is sending large headers to the console
CVE-2015-5220
This content is not included.BZ-1255597

SBR

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.