High CPU in io.undertow.protocols.ssl.SslConduit.wrapAndFlip or SslConduit.doWrap in JBoss EAP 7.x or RH-SSO 7.x after updating to JDK 8 u361+, JDK 11.0.18+, or JDK 17.0.6+

Solution Verified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7.x
  • Red Hat Single Sign On (RH-SSO)
    • 7.x
  • Java / OpenJDK
    • 1.8.0u361+
    • 11.0.18+
    • 17.0.6+

Issue

  • JBoss EAP 7 (or RH-SSO 7) hits high CPU from threads in:
"default I/O-3" #267 prio=5 os_prio=0 cpu=1381880.45ms elapsed=6040.85s tid=0x000056398e628800 nid=0x45f4 runnable  [0x00007f46cebfb000]
   java.lang.Thread.State: RUNNABLE
        at sun.security.ssl.SSLEngineImpl.writeRecord(java.base@11.0.18/SSLEngineImpl.java:199)
        at sun.security.ssl.SSLEngineImpl.wrap(java.base@11.0.18/SSLEngineImpl.java:136)
        - eliminated <0x00000000b25b2148> (a sun.security.ssl.SSLEngineImpl)
        at sun.security.ssl.SSLEngineImpl.wrap(java.base@11.0.18/SSLEngineImpl.java:116)
        - locked <0x00000000b25b2148> (a sun.security.ssl.SSLEngineImpl)
        at javax.net.ssl.SSLEngine.wrap(java.base@11.0.18/SSLEngine.java:482)
        at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.wrap(ALPNLimitingSSLEngine.java:64)
        at io.undertow.protocols.ssl.SslConduit.wrapAndFlip(SslConduit.java:1004)
        at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:940)
        - locked <0x00000000b25b2168> (a io.undertow.protocols.ssl.SslConduit)
        at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:673)
        at io.undertow.protocols.ssl.SslConduit.access$1000(SslConduit.java:70)
        at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1148)
        - locked <0x00000000b25b2168> (a io.undertow.protocols.ssl.SslConduit)
        at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:479)
  • Or high CPU in:
"default I/O-4" #102 prio=5 os_prio=0 cpu=1256508.47ms elapsed=262989.74s tid=0x000055af27a1a000 nid=0x45f5 runnable  [0x00007f922bd98000]
   java.lang.Thread.State: RUNNABLE
	at sun.security.ssl.SSLEngineImpl.writeRecord(java.base@11.0.18/SSLEngineImpl.java:199)
	at sun.security.ssl.SSLEngineImpl.wrap(java.base@11.0.18/SSLEngineImpl.java:136)
	- eliminated <0x00000000c828d458> (a sun.security.ssl.SSLEngineImpl)
	at sun.security.ssl.SSLEngineImpl.wrap(java.base@11.0.18/SSLEngineImpl.java:116)
	- locked <0x00000000c828d458> (a sun.security.ssl.SSLEngineImpl)
	at javax.net.ssl.SSLEngine.wrap(java.base@11.0.18/SSLEngine.java:482)
	at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.wrap(ALPNLimitingSSLEngine.java:62)
	at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:870)
	at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:649)
	at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
	at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1048)
	- locked <0x00000000c828d400> (a io.undertow.protocols.ssl.SslConduit)
	at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:479)
  • After upgrading our JDK to the latest, we are seeing high CPU and unresponsiveness on JBoss EAP 7 when any Qualys security scan is run

Resolution

  • Apply the latest cumulative patch for JBoss EAP 7.4. The fix for this issue has been incorporated in JBoss EAP 7.4.10+ (CP10)
  • Apply the latest cumulative patch for RH-SSO 7.6. The fix for this issue has been incorporated in RH-SSO 7.6.4+ by RHSA-2023:3892
  • Downgrade Java to 1.8.0_351 / 11.0.17 / 17.0.5 or earlier as a workaround until updating to the versions that include the fix.

Root Cause

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.