Loading...

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 2.3.0.Final, 2.3.0.Beta1, 2.2.20.Final
Affects Version/s: 2.2.18.SP2
Component/s: Core
Labels:
None

Steps to Reproduce:

Hide

1. Enable byteman with attached ~~UNDERTOW-2147~~.btm rule, which helps force the problem timing
2. Deploy undertow-2147.war
3. Request http://localhost:8080/undertow-2147/hi.jsp to establish a session
4. Request http://localhost:8080/undertow-2147/invalidate.jsp to start a session invalidation
5. Within 5 seconds, make a http://localhost:8080/undertow-2147/changeid.jsp request from another tab.

Show
1. Enable byteman with attached UNDERTOW-2147 .btm rule, which helps force the problem timing 2. Deploy undertow-2147.war 3. Request http://localhost:8080/undertow-2147/hi.jsp to establish a session 4. Request http://localhost:8080/undertow-2147/invalidate.jsp to start a session invalidation 5. Within 5 seconds, make a http://localhost:8080/undertow-2147/changeid.jsp request from another tab.
Git Pull Request:
https://github.com/undertow-io/undertow/pull/1370, https://github.com/undertow-io/undertow/pull/1375

A race condition across multiple requests invoking session invalidate and changeSessionId can result in an invalid session being left in the session map. That session is then leaked and won't ever expire and subsequent requests from the client fail with an error like below until they clear their cookie:

17:35:56,213 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /sessiontest/hi.jsp: java.lang.IllegalStateException: UT000010: Session is invalid yXOeMfuedx29nxgqG59iU9g6OSjWA0Vvevw9xb3W
	at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.server.session.InMemorySessionManager$SessionImpl.getAttribute(InMemorySessionManager.java:548)
	at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.util.SavedRequest.tryRestoreRequest(SavedRequest.java:155)
	at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:74)
	at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
	at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow@7.4.6.GA-redhat-00002//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow@7.4.6.GA-redhat-00002//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
	at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)
	at io.undertow.core@2.2.18.SP2-redhat-00001//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)
	at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)
	at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)
	at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)
	at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
	at io.undertow.servlet@2.2.18.SP2-redhat-00001//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)

Timing can play out like so to lead to this:
1. Request A is received and starts session invalidate
2. Request B is received and starts changeSessionId
3. Request A progresses in its invalidate call and removes session from the sessions map
4. Request B reaches createAndSaveNewID and sets the session back in the map
5. Request A sets the session to invalid and returns a reponse clearing the cookie on the client
6. Request B returns, setting the cookie back on the client
7. Request C is sent with the now invalid cookie and hits an error

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

UNDERTOW-2147.btm
1 kB
2022/08/30 9:47 PM
undertow-2147.war
0.9 kB
2022/08/30 9:40 PM
UNDERTOW-2147-2.btm
0.2 kB
2022/09/01 10:03 PM

is cloned by

JBEAP-23929 [GSS](7.4.z) UNDERTOW-2147 - race condition between session invalidate and changeSessionId leads to UT000010

Closed

is incorporated by

WFCORE-6057 Upgrade Undertow to 2.3.0.Final (CVE-2022-2764)

Closed

WFLY-17017 Upgrade Undertow to 2.3.0.Beta1

Closed

WFCORE-6056 Upgrade Undertow to 2.3.0.Beta1

Closed

WFLY-17107 Upgrade Undertow legacy to 2.2.20.Final

Closed

relates to

UNDERTOW-1790 UT000010: Session is invalid due to concurrent calls changeSessionId() calls on same session

Resolved

(1 relates to)

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates