search

javaee / metro-wsit

https://javaee.github.io/metro-wsit/
Other
9 stars 24 forks source link

Resource consumption vulnerability due to out-of-order messages retention in Metro RM. #1676

Closed glassfishrobot closed 10 years ago

glassfishrobot commented 10 years ago

There is a class com.sun.xml.ws.rx.rm.runtime.delivery.InOrderDeliveryQueue used by the com.sun.xml.ws.rx.rm.runtime.ServerTube that makes request messages that are received out of order wait in a postponedMessageQueue (in-memory queue). After some out of order message is retained this way the Fiber is marked as suspended by the ServerTube and is not resumed in the normal course (no wind down, back-channel is not closed, no response goes back to the client). This Fiber will be resumed only if the out-of-order problem gets corrected and the waiting message gets delivered to the application layer. What if some rogue client keeps on sending out-of-order messages (say, message# 2 is withheld for very long and other sent messages are large in size). This is one of the security threats under the category "resource consumption" discussed in the RM spec (see below).

http://docs.oasis-open.org/ws-rx/wsrm/200608/wsrm-1.1-spec-cd-04.html#5.1.2.Resource Consumption Threats|outline

Of course, using SC (SecureConversation) with WS-RM will make sure that no rogue client is entertained like this but still this is a bug that needs to be looked at.

Affected Versions

[current]

glassfishrobot commented 10 years ago

Reported by umjoshi

glassfishrobot commented 10 years ago

umjoshi said: Implemented conditional rejection of out of order message at RMD. Client will get back a SOAP fault with HTTP 500 if an out of order message is sent. This is driven by rejectOutOfOrderMessagesEnabled property on com.sun.xml.ws.rx.rm.api.ReliableMessagingFeature. Default behavior is not changed yet, keeping this bug/issue open to decide if the default behavior should be changed.

glassfishrobot commented 10 years ago

umjoshi said: Closing this issue as there is now a boolean on the Metro RM Feature to prevent this from happening. Not changing the default.

glassfishrobot commented 10 years ago

Was assigned to umjoshi

glassfishrobot commented 7 years ago

This issue was imported from java.net JIRA WSIT-1676

glassfishrobot commented 10 years ago

Marked as fixed on Monday, October 28th 2013, 12:53:46 pm