>Number: 3834 >Category: mod_jserv >Synopsis: sessions will only expire at a rate of one per X >Confidential: no >Severity: serious >Priority: medium >Responsible: jserv >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu Feb 4 12:30:01 PST 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.3 + 1.0b2 >Environment: Solaris, JDK 1.2 >Description: the housekeeping thread in JServServletManager.java breaks out of the loop that searches for expired sessions as soon as it finds a single expired session - which means that it will expire no more than 1 session every time it runs - which to most people is the default of 1 minute.
This makes an easy denial of service attack against JServ - simply throw a steady (but small!) amount of sessions at it, and eventually you will EOutOfMemory >How-To-Repeat: Launch JMeter at a servlet and let it run for a long time. >Fix: remove the break statement from public void run() in JServServletManager.java. I have tested the *crap* out of this fix. There appears to be NO issue with removing sessions from the hashtable while stepping through an enumeration. The fix is simple, stable, and effective. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
