[
https://issues.apache.org/jira/browse/CXF-8885?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17761791#comment-17761791
]
Peter Palaga commented on CXF-8885:
-----------------------------------
This is issue could by summed up as follows: if an application creates clients
more frequently (e.g. per request) than once at startup, then the application
will eventually crash due to an OOM. IMO, this fulfills the definition of DoS
attack vector. I wonder whether the CXF team should not request a CVE number
for this issue?
> HttpClient SelectorManager threads run indefinitely causing OOM
> ---------------------------------------------------------------
>
> Key: CXF-8885
> URL: https://issues.apache.org/jira/browse/CXF-8885
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Affects Versions: 4.0.0, 3.6.0
> Reporter: Cardo Eggert
> Priority: Major
> Attachments: image (5).png
>
>
> Probably caused by https://issues.apache.org/jira/browse/CXF-8840 .
> Started to notice that when updating from 3.5.x to 3.6.0 that our servers
> started getting OOM. Noticed from the resulting logs that a lot of threads
> were active that were in the format
> HttpClient-<NR>-SelectorManager
> when reverted to 3.5.6 then it did not occur anymore.
>
> Tried to use VirtualVM when debugging it and saw when the thread was started,
> it never died, basically meaning that it ran indefinitely. OOM happened when
> there were about over 1000 of these threads.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
