nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy LoPresto <>
Subject Re: OOM by huge header size attack: setResponseHeaderSize won't work
Date Thu, 23 Mar 2017 17:43:56 GMT
I’ve moved further discussion of this issue to <>.

Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

> On Mar 23, 2017, at 10:26 AM, Ke Yang (Conan) <> wrote:
> Folks,
>   We use NiFi which embeds Jetty Server. Our test team found a security bug by intercepting
the http request and replacing the header with a huge (say 1GB) text, which sent the response
to NCM, which got OOM:
> 2017-03-07 03:44:03,522 WARN [NiFi Web Server-22] o.a.n.c.m.impl.HttpRequestReplicatorImpl
Node request for [id=99a65e79-b856-4e43-9056-1451714498fc, apiAddress=, apiPort=38484,
socketAddress=, socketPort=39494, siteToSiteAddress=, siteToSitePort=null]
encountered exception: java.util.concurrent.ExecutionException: java.lang.OutOfMemoryError:
Java heap space
>  We tried setResponseHeaderSize here
but it didn't seem to work: it seems to us that the huge fake header got received before this
limit takes effect, as a result, the NCM got OOM in the first place.
> Are we missing anything, or is there a potential bug with setResponseHeaderSize, please?
> Btw, we also wonder if below workaround would work?
> 1.      Increase Nifi bootstrap.conf JVM heap size such as xmx8g
> 2.      Set connection timeout
> nifi.cluster.manager.node.api.connection.timeout=30 sec
> sec
> Thanks,
> Conan&Sherry

View raw message