Jetty starts consuming CPU that remains high even without any traffic

[dimas]

Jetty version(s)
9.4.41.v20210516
9.4.43.v20210629

Java version/vendor (use: java -version)

$ java -version
openjdk version "1.8.0_292"
OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1~18.04-b10)
OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)

OS type/version
Ubuntu 18.04

Description
We had an issue with some of the production servers spiking with CPU use.
We do not know what triggered it. When affected servers are removed from load balancer and all traffic to them ceases, the CPU usage still remains high.

About 5 out of 8 servers got affected over a stretch of several hours. The servers belong to different clusters and run different application code on them. The common theme is that they all are Spring apps with embedded Jetty, are on Amazon EC2 and exposed to the internet via load balancers. They are in different AWS accounts, different load balancers and their load pattern is not correlated in any way. Just the AWS region is the same. We saw 9.4.41.v20210516 and 9.4.43.v20210629 affected. Restarting the app (with Jetty) fixes CPU usage.

We tried profiling the running app and building flamegraphs and saw that all the CPU is being eaten by a couple of "qtp" threads with stacktraces similar to:

"qtp708090483-69573" #69573 prio=5 os_prio=0 tid=0x00007f6b1e429000 nid=0x311f in Object.wait() [0x00007f6ac36c8000]
   java.lang.Thread.State: WAITING (on object monitor)
        at java.lang.Object.wait(Native Method)
        at java.lang.Object.wait(Object.java:502)
        at org.eclipse.jetty.server.HttpInput.blockForContent(HttpInput.java:584)
        at org.eclipse.jetty.server.HttpInput$1.blockForContent(HttpInput.java:1164)
        at org.eclipse.jetty.server.HttpInput.read(HttpInput.java:330)
        - locked <0x00000000c54d9790> (a java.util.ArrayDeque)
        at org.eclipse.jetty.server.HttpInput.read(HttpInput.java:270)
        at org.eclipse.jetty.util.UrlEncoded.decodeUtf8To(UrlEncoded.java:485)
        - locked <0x00000000c54dea40> (a org.eclipse.jetty.util.MultiMap)
        at org.eclipse.jetty.util.UrlEncoded.decodeTo(UrlEncoded.java:572)
        at org.eclipse.jetty.server.Request.extractFormParameters(Request.java:582)
        at org.eclipse.jetty.server.Request.extractContentParameters(Request.java:531)
        at org.eclipse.jetty.server.Request.getParameters(Request.java:435)
        at org.eclipse.jetty.server.Request.getParameterNames(Request.java:1093)
        at ch.qos.logback.access.spi.AccessEvent.buildRequestParameterMap(AccessEvent.java:338)
        at ch.qos.logback.access.spi.AccessEvent.getRequestParameterMap(AccessEvent.java:351)
        at ch.qos.logback.access.spi.AccessEvent.prepareForDeferredProcessing(AccessEvent.java:584)
        #
        # code from https://jira.qos.ch/browse/LOGBACK-1486 here
        #
        at ch.qos.logback.core.AsyncAppenderBase.append(AsyncAppenderBase.java:160)
        at ch.qos.logback.core.UnsynchronizedAppenderBase.doAppend(UnsynchronizedAppenderBase.java:84)
        at ch.qos.logback.core.spi.AppenderAttachableImpl.appendLoopOnAppenders(AppenderAttachableImpl.java:51)
        at ch.qos.logback.access.jetty.RequestLogImpl.log(RequestLogImpl.java:137)
        at org.eclipse.jetty.server.HttpChannel.onCompleted(HttpChannel.java:812)
        at org.eclipse.jetty.server.HttpChannel.onBadMessage(HttpChannel.java:872)
        at org.eclipse.jetty.server.HttpChannelOverHttp.badMessage(HttpChannelOverHttp.java:283)
        at org.eclipse.jetty.http.HttpParser.badMessage(HttpParser.java:1647)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1629)
        at org.eclipse.jetty.server.HttpConnection.parseRequestBuffer(HttpConnection.java:376)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:265)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
        at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
        at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
        at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
        at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
        at java.lang.Thread.run(Thread.java:748)

Clearly we are at the end of request trying to log it (with logback-access) and while preparing request for deferred processing it tries to read some of the parameters from it and it all ends up in HttpInput.read().

Which in turn blocks for content. However judging from how much CPU is used, our suspicion is that no actual sleeping happens, the thread just wakes up immediately, re-checks conditions, goes back to waiting and the story repeats.

I do not know anything about Jetty internals but given this code https://github.com/eclipse/jetty.project/blob/jetty-9.4.41.v20210516/jetty-server/src/main/java/org/eclipse/jetty/server/HttpInput.java#L1161-L1166 just calls input.blockForContent() and always returns true (unless throws), then this loop https://github.com/eclipse/jetty.project/blob/jetty-9.4.41.v20210516/jetty-server/src/main/java/org/eclipse/jetty/server/HttpInput.java#L314-L340 reduces to:

            while (true)
            {
                Content item = nextContent();
                if (item != null)
                {
                    l = get(item, b, off, len);
                    if (LOG.isDebugEnabled())
                        LOG.debug("{} read {} from {}", this, l, item);

                    // Consume any following poison pills
                    if (item.isEmpty())
                        nextInterceptedContent();
                    break;
                }

                // No content, so should we block?
                input.blockForContent();
            }

So in theory as long as nextContent() returns null, it just spins input.blockForContent().

We tried verifying it by enabling debug logging with

<logger name="org.eclipse.jetty.server.HttpInput" level="DEBUG"/>

and it resulted in about 10Mb/sec of logs:

-----------------------------------------------------------------------------------------------------------------------------------------------
|       @timestamp        | level |       thread       |                                       message                                        |
|-------------------------|-------|--------------------|--------------------------------------------------------------------------------------|
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-71877 | HttpInputOverHTTP@1202b981[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
| 2021-10-08 14:54:35.000 | DEBUG | qtp708090483-69573 | HttpInputOverHTTP@72895282[c=0,q=0,[0]=null,s=STREAM] blocking for content timeout=0 |
-----------------------------------------------------------------------------------------------------------------------------------------------

So it does indeed look like read() just spins blockForContent() endlessly which for some reason wakes up every time but there are no data available (or read() would log something on this line https://github.com/eclipse/jetty.project/blob/jetty-9.4.41.v20210516/jetty-server/src/main/java/org/eclipse/jetty/server/HttpInput.java#L321 )

Remember, there is no any load on that server at that moment, no established HTTP connections, just couple of some old requests stuck in this state.

How to reproduce?
Unfortunately I have no idea what triggers it. We just saw several servers ended up in this state. Last time we saw it before today was several months ago. Given all affected servers are on AWS eu-west-1 and behind load balancers, it could be that some region-wide issue with AWS load balancers resulted in some incorrect TCP connection closure or something like that which in turn triggered some edge condition in Jetty.

It also can be the same issue as #5435 although I am not 100% sure

[joakime]

The stacktrace shows the following, which gives hints that you are suffering from an OLD security issue ...

        at org.eclipse.jetty.server.Request.extractFormParameters(Request.java:582)
        at org.eclipse.jetty.server.Request.extractContentParameters(Request.java:531)
        at org.eclipse.jetty.server.Request.getParameters(Request.java:435)
        at org.eclipse.jetty.server.Request.getParameterNames(Request.java:1093)
        at ch.qos.logback.access.spi.AccessEvent.buildRequestParameterMap(AccessEvent.java:338)

This stacktrace is during a POST request parsing of a request with Content-Type: application/x-www-form-urlencoded.

The most important thing you need to check right now.
Make sure you have sane values for the "maxFormContentSize" and "maxFormKeys".

Defaults:

• ContextHandler.maxFormContentSize = 200,000
• ContextHandler.maxFormKeys = 1,000

If you have configured larger values, then you are subject to a exactly the scenario you are experiencing.
See: https://ocert.org/advisories/ocert-2011-003.html

Don't set those value too high, especially the maxFormKeys value.
Each 10% of increase in those values increases exponentially your exposure to ocert-2011-003.

While Java can handle large Map instances in terms of size or key count, it's actually quite trivial to make a set of keys that will just consume extraordinary amounts of CPU.

This was fixed in Jetty 7.6.0 as part of https://bugs.eclipse.org/367638 by adding those limits on maxFormKeys and maxFormContentSize.

[joakime]

Also of note, logback-access was written in the time of Jetty 7.x and Jetty 8.x, and hasn't kept up with Jetty 9.1, 9.2, 9.3, or 9.4 changes.

The Request Logging facilities in Jetty 9.4.44, for example, never trigger request body parsing just to log a request (oh that's a decision in logback-access that has bitten many a user of logback-access. Which is what your stacktrace shows btw.)

Note that with Jetty 9.4.44, you also have access to the wonderful CustomRequestLog with it's own configurable output format (like logback-access).
See: https://javadoc.io/static/org.eclipse.jetty/jetty-server/9.4.44.v20210927/org/eclipse/jetty/server/CustomRequestLog.html

And you can even use CustomRequestLog in combination with any slf4j-api based logger, even logback core (which ships with a nifty SiftingAppender to allow you to have multiple log files being populated from different named loggers, so you can keep a unique request log, with rolling and archiving)

[joakime]

The stacktrace also shows a bug in logback-access ...

        at ch.qos.logback.access.jetty.RequestLogImpl.log(RequestLogImpl.java:137)
        at org.eclipse.jetty.server.HttpChannel.onCompleted(HttpChannel.java:812)
        at org.eclipse.jetty.server.HttpChannel.onBadMessage(HttpChannel.java:872)
        at org.eclipse.jetty.server.HttpChannelOverHttp.badMessage(HttpChannelOverHttp.java:283)
        at org.eclipse.jetty.http.HttpParser.badMessage(HttpParser.java:1647)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1629)

The parser failed, triggered a badMessage, and then logback-access attempted to log the request.
But the first thing it does is attempt to parse the request body content.
Uh, the request is bad, there is no valid request body content.
logback-access should not be attempting to parse the request body content.

[joakime]

@gregw What do you think about flagging the bad Request object so that calls to access the request body also fail early with an IOException?

[joakime]

@gregw Perhaps even have the Request be set to "complete" before the onCompleted() is called, to prevent behavior that can alter the Request after it's complete and before it's recycled. (such as a logging framework attempting to read the request body content after the Request is complete).

[dimas]

@joakime , first of all thanks for a very quick reply.
It will take me some time to dive into your comment regarding the logging stuff but here is a quick reply for the first one. "Some sort of attack" was my second thought (after "Amazon load balancer issue") because these servers are often probed by various scanning tools so it would not surprise me....

However... You are saying it was fixed in 7.6 line and we are using one of the latest 9.4 so it should not have this issue. We are definitely not configuring neither maxFormContentSize nor maxFormKeys explicitly so defaults must be active. If there is a way to get these settings from a running server or start it in a debug mode so these values are printed - I am happy to do it of course. But my money are on the fact we are using these low defaults.

[dimas]

Re logback bug that makes it parse the request body content... I do not think logback knows the request should not be logged - this code

    public void onCompleted()
    {
        if (LOG.isDebugEnabled())
            LOG.debug("onCompleted for {} written={}", getRequest().getRequestURI(), getBytesWritten());

        if (_requestLog != null)
            _requestLog.log(_request, _response);

sends the request to logger like any other request. And I checked Jetty's own CustomRequestLog code and I do not see any special handling for "bad message" there - these requests are treated the same way as any normal ones. Maybe I am missing something.

I believe logback causes body parsing because it attempts to extract body parameters. And the reason it does this is because it prepares the event for background processing - the request thread can quickly queue logging event while it will be written into a file by some async appender.

There was a bug in logback causing it to log random stuff with async appenders because Jetty recycles request objects and by the time logback async thread starts writing the event down, the request can contain completely different data. Few years ago I contributed a fix for logback qos-ch/logback#240 that just made sure that when the event is prepared for background processing - all the important attributes are cloned because at that moment you do not know what of the attributes and parameters your async appender (and formatter) will require.

Obviously this attempt to save request data is what causes Jetty to try parsing the body.

I understand that this parsing probably makes no sense for a completely invalid request (badMessage) but you guys are still sending this request into the log() method so you can not expect each possible implementation knows how to deal with it. Some proprietary implementation can unconditionally try reading some request headers/data for logging purposes. Does not feel like logback issue to me.
It really feels like Jetty should just handle attempts to read parameters/attributes/body/whatever for these bad requests instead of entering high CPU consumption loop.

Cheers

[joakime]

CustomRequestLog will use the committed state of the request/response objects to avoid changes caused by the application after the request/response is committed.
It also does not use APIs that will trigger state changes in the request/response objects.

        at org.eclipse.jetty.server.Request.getParameterNames(Request.java:1093)
        at ch.qos.logback.access.spi.AccessEvent.buildRequestParameterMap(AccessEvent.java:338)

The fact that logback-access calls Request.getParameterNames() is a big no-no for request logging, it should never do that.
That will force a request body read (if it hasn't been read before) per the servlet spec behaviors.

Even on a normal request (one that doesn't cause a parser error), imagine this ...

You have a POST request arrive.
Your servlet (or the authentication layer, or a filter, etc) decides the request isn't useful yet.
It responds with a simple 403 Forbidden, never having read the request body.
Now logback-access wakes up to log the request log entry.
It has now triggered a request body READ, not only that, but it's triggered it at the server level, a context-less Request (one that doesn't have context based configuration to limit form data sizes and whatnot)
This will now consume resources to read the request body content, which could easily be malicious (in size? in keys? etc), even though the application intentionally didn't read the request body.
This is a bug in logback-access, a big one IMO, as it could easily lead to a trivial DOS attack.

[joakime]

Here's another example of where logback-access gets things wrong.

https://github.com/qos-ch/logback/blob/v_1.2.6/logback-access/src/main/java/ch/qos/logback/access/jetty/JettyServerAdapter.java#L49

    public int getStatusCode() {
        return response.getStatus();
    }

That will not have the correct response status code, as the status code is not immutable on the servlet spec.
Eg: It can be sent as one value on the network, and then changed after the fact, before the response has even been fully sent.
Many libraries, such as spring-framework, spring-boot, spring-security, will set different status codes on the way out of the context.
Many error handling routines reset the status code as well.
By the time the request logging occurs, logback-access is logging the wrong status code.

We have special APIs to track the committed state (what was actually sent on the wire).

https://github.com/eclipse/jetty.project/blob/jetty-9.4.44.v20210927/jetty-server/src/main/java/org/eclipse/jetty/server/CustomRequestLog.java#L1159

https://github.com/eclipse/jetty.project/blob/8da83308eeca865e495e53ef315a249d63ba9332/jetty-server/src/main/java/org/eclipse/jetty/server/CustomRequestLog.java#L1157-L1160

You might be thinking, "why not write the request log entry before you exit the context?".

Because the request / response exchange is not complete once the context dispatch is complete.
Application buffers, network buffers, etc all take time, the context dispatch is long gone by the time the real status of the request/response exchange is complete and suitable for being logged in the RequestLog.

This is pretty common as well...

@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException
{
    OutputStream out = resp.getOutputStream();
    out.write(getLargeResponseBuffer());
}

The application told the servlet container to write a big buffer, and then completed the dispatch, but writing that buffer can take time.
If the buffer was 10MB, and only 2MB was written to the network before the connection failed, the request log should show that.

[dimas]

@joakime , I see your point now. Thanks for taking time to explain it.

I agree that logback should not have triggered request reading by trying to access request parameters. Unfortunately it does and I am sure they won't accept a PR to stop it from happening because there is probably a lot of people out there who now rely on it as their logging appenders/formatters are configured to log certain parameters of the request. Logback also seems to attempt grabbing the entire request body among other things in this code https://github.com/dimas/logback/blob/master/logback-access/src/main/java/ch/qos/logback/access/spi/AccessEvent.java#L576-L598 and there can be people relying on it too.

I do not know how to fix the problem without massive rework and breaking backward compatibility with what people may be collecting into their access logs. Does not look practical to me.

We may consider changing logging framework but we can not do it for access logs only - right now logback is used for both application logs as well as access logs, all sent out as JSON. I am not sure what is a good replacement these days - may take a look at log4j2 if you say its support for Jetty access log is correct unlike logback's.

Having said that, isn't it worth fixing Jetty in a way so even if logging framework tries to read bad request, it does not enter some infinite loop? Yes, the logging framework should not be doing it for all the reasons you laid out but if it does - at least it won't not cause a 100% CPU consumption....

(I am working from assumption that our CPU consumption is NOT caused by https://ocert.org/advisories/ocert-2011-003.html - I still believe there may be some edge case handling some bad TCP connection or something)

Thanks

[joakime]

I do not know how to fix the problem without massive rework and breaking backward compatibility with what people may be collecting into their access logs. Does not look practical to me.

We may consider changing logging framework but we can not do it for access logs only - right now logback is used for both application logs as well as access logs, all sent out as JSON. I am not sure what is a good replacement these days - may take a look at log4j2 if you say its support for Jetty access log is correct unlike logback's.

There's absolutely no need to switch from logback to log4j. (We here at Eclipse Jetty are huge fans of slf4j and logback)

Note that logback-access is just a small optional sub-component of logback, you can still use the rest of logback as-is without logback-access, even with CustomRequestLog.

If you decide to look into CustomRequestLog, know that you can set it to use the Slf4jRequestLogWriter, which logback will use happily. You can even have separate log files easily enough with logback (regular logs, and request logs separate)

I'm not ready to close this issue, as there are some possible places we can short-circuit the bad behavior, but it's a delicate thing that might cause ripples elsewhere, which means it will take time.

In any case, this was an enlightening issue, thank you for filing it.

[joakime]

I went ahead and opened 2 issues on the logback side as well ...

• https://jira.qos.ch/browse/LOGBACK-1580 - logback-access uses response.getStatus improperly
• https://jira.qos.ch/browse/LOGBACK-1581 - logback-access should not use Request.getParameterNames

[dimas]

Thank you for reaching out to logback team!

Re CustomRequestLog - I would happily use it but from the code I read it seems like it can only form plaintext strings. We moved to structured text (JSON) everywhere long time ago because it allows us to have these logs nicely indexed in either elasticsearch/logstash/kibana stack or in CloudWatch. Plaintext feels just wrong when the app started with all these separate attributes but bunched them all together into a human-readable string and then you have to create rules to parse that string back into individual attributes. Just some unnecessary conversions back and forth.

I bet we can specify format string as something like { "status": %s, "bytes_received": %I, "method": "%m" } so when thee values are substituted, so our log will look like JSON. But only look like it - should any of the things being logged contain a quotation mark for example - it will render the resulting JSON as invalid. The whole thing becomes too fragile.

However, I understand this conversation has nothing to do with the issue at hands. Just explaining why we use what we use...

[joakime]

Can you share your logback-access configuration?

[dimas]

Sure. https://gist.github.com/dimas/c5df027a86f9fd31745ad5ce860c6ab9

Feels like I need to explain myself because that whole thing may look overcomplicated (and it probably is).
Historically we used ELK (elasticsearch+logstash+kibana) so our main log appender was https://github.com/logstash/logstash-logback-encoder that was configured to format log entries as JSON and send them directly to logstash via TCP.

We did not want issues with ELK servers to cause any problem with the application - it is really bad if issues with log collection hang your business logic - so this explains why we use async appender which just sends stuff into a queue that is sent to the real logstash appender by a background thread. In the worst case it just starts discarding logging events but will never block a call to log.info(...) even if logstash servers stuck in a weird state and TCP buffers got filled etc.

The custom async appender is just code from https://jira.qos.ch/browse/LOGBACK-1486

public class AsyncAccessAppender extends AsyncAppenderBase<IAccessEvent> {
    @Override
    protected void preprocess(final IAccessEvent eventObject) {
        eventObject.prepareForDeferredProcessing();
    }
}

Later we had to switch to log collection with Amazon CloudWatch Agent so now we are writing logs into files on the local filesystem. We kept logstash-logback-encoder that formats events as JSON for us because it is very configurable - you can choose what fields you need and where to get them. Also we already had this configuration as we kept it from our ELK times. But we are only using formatting part of the logstash-logback-encoder really and not using the TCP socket part.

We also kept the async part simply because it was already there. But it is not that critical for writing data to local FS as it was for sending it over TCP/IP.

So given async is not necessary strictly speaking, one idea would be just to remove it - if there is no call to prepareForDeferredProcessing(), there will be no call to getParameterNames() and the problem goes away.
However I remember a logback ticket https://jira.qos.ch/browse/LOGBACK-1189 that literally says

But, problem is that "AccessEvent.prepareForDeferredProcessing" is called twice - once when appended by request thread, and then again by async worker thread here

so it does not look like it is going to help - it reads like removing async appender will only remove one of the calls.

[joakime]

Thanks.

One thing I noticed immediately is something that's surprised logstash users in the past, so I mention it to make sure you are aware of it too.

If the request fails during HttpParser, you have essentially an empty request, which will result in no dispatch to a context, and a 400 response to the client with a connection closure.
Lastly, it will be sent to the RequestLog implementation.

The following can all be null in this scenario.

"remote_addr": "%h",
"method": "%requestMethod",
"request_uri": "%requestURI",
"request_url": "%requestURL",
"query_string": "%queryString",
"httpver": "%protocol",

Make sure your tooling on logstash is aware of this. I mention this as it's bitten many folks in the past that assume all requests are happy/valid requests.

Which is far from the truth in a publicly facing web app, many requests can be accidentally bad (client that doesn't implement HTTP spec properly), maliciously bad, or just bad.

The AWS ELB can protect from some of the issues, but lets many through (especially around Content-Length and Transfer-Encoding HTTP rules that the ELB should be rejecting. Then there is the whole long list of X-Forwarded-For issues that ELB doesn't, and cannot, implement properly with that non-standard spec. When is ELB going to support the standard RFC 7239 "Forwarded" header that the entire world already supports?)

I also notice that you don't even use the request parameters in your pattern, but logback-access is pulling them from the request anyway.
The design philosophy in good servlet request logging is to only operate against the request/response based on what is present in the output pattern.

[joakime]

So given async is not necessary strictly speaking, one idea would be just to remove it - if there is no call to prepareForDeferredProcessing(), there will be no call to getParameterNames() and the problem goes away. However I remember a logback ticket https://jira.qos.ch/browse/LOGBACK-1189 that literally says

But, problem is that "AccessEvent.prepareForDeferredProcessing" is called twice - once when appended by request thread, and then again by async worker thread here

so it does not look like it is going to help - it reads like removing async appender will only remove one of the calls.

That is ancient advice about the request thread.

That request thread statement was true around Servlet 2.3 (about the end of 2001).

The request thread statement became no longer true when Servlet 2.4 (end of 2003) was introduced and the SingleThreadModel was deprecated in the servlet spec.

Servlet 3.0 (end of 2009) put another nail in that coffin for the request thread behaviors.
The idea that a 1 request is served by 1 thread is no longer true at this point, even for non-async requests.
ThreadLocal use is strongly discouraged and deprecated.

Servlet 6.0 (end of 2021) killed the request thread concepts outright, all threading is now 100% async. SingleThreadModel is now removed, use of ThreadLocal is now impossible, etc...

[dimas]

I also notice that you don't even use the request parameters in your pattern, but logback-access is pulling them from the request anyway.

That is correct. But I kinda understand why it is the way it is - when prepareForDeferredProcessing() is called, logback does not know yet what appenders will end up receiving this log event. So it is not known what of the request properties be required. There in theory can even be multiple appenders with different requirements. Because of that they opted for just copying everything available. Not the nicest solution but I certainly understand the reasoning.

That is ancient advice about the request thread.

That request thread statement was true around Servlet 2.3 (about the end of 2001).

Maybe the terminology is not super accurate there but the idea was that prepareForDeferredProcessing() is called twice - first time by the thread on the server that invokes request logging ("request thread" there) so all the request data is captured before the request is recycled. And then it is invoked the second time by the RollingFileAppender itself which runs in a separate thread in the background (because we are using async logger).

That second invocation is a bit of a surprise to be honest - RollingFileAppender is not some sort of async thing so when it is invoked, it is expected to synchronously convert logging event to a string representation and write it to the file. And yet, it really calls prepareForDeferredProcessing(), we verified it earlier today. Judging from the sources, it is done since https://jira.qos.ch/browse/LOGBACK-649

The bottom line is - even if we remove async layer from our logback configuration and write directly to the RollingFileAppender - it won't solve the problem and prepareForDeferredProcessing() => getParameterNames() is still going to be called.

[dimas]

@joakime we reproduced the problems with really simple logback config (see below).
Requests that we send there go into that infinite loop trying to read data from the connection and eating server CPU. You can send multiple requests potentially eating all the threads.

Do you want to provide the reproducible case here or should we go security issue route?

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <appender name="file" class="ch.qos.logback.core.rolling.RollingFileAppender">
        <file>/tmp/log/jetty-6973/access.log</file>
        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
            <fileNamePattern>/tmp/log/jetty-6973/access.%d{yyyy-MM-dd}.log</fileNamePattern>
        </rollingPolicy>

        <encoder>
            <pattern>combined</pattern>
        </encoder>
    </appender>

    <appender-ref ref="file"/>
</configuration>

[joakime]

I'm not convinced it's a security issue (yet).
I've been attempting to recreate the conditions in a unit test, but have failed so far.

[joakime]

I've been able to get your configuration running with the following ${jetty.base} ...

[logback-access-base]$ tree -F
.
├── etc/
│   └── logback-access.xml
├── gen-bad-requests.sh*
├── lib/
│   ├── logback/
│   │   ├── logback-access-1.2.6.jar
│   │   ├── logback-classic-1.2.6.jar
│   │   └── logback-core-1.2.6.jar
│   └── slf4j/
│       └── slf4j-api-1.7.32.jar
├── logs/
│   ├── access.log
│   └── jetty.log
├── resources/
│   ├── logback-access.xml
│   └── logback.xml
├── start.ini
└── webapps/

7 directories, 11 files

[logback-access-base]$ cat etc/logback-access.xml 
<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<Configure id="Server" class="org.eclipse.jetty.server.Server">
  <Set name="requestLog">
    <New id="LogbackAccess" class="ch.qos.logback.access.jetty.RequestLogImpl">
      <Set name="fileName">resources/logback-access.xml</Set>
      <Call name="start"/>
    </New>
  </Set>
</Configure>

[logback-access-base]$ cat start.ini 
--module=deploy
--module=http
--module=logging-logback
--lib=lib/logback/logback-access-${logback.version}.jar
etc/logback-access.xml

It's been hard to troubleshoot as there so many bugs in the logback-access implementation.

Take this example.

The first request is a GET / HTTP/1.1, which should return a 404, as there's no webapps deployed.

The next request is a POST /hello HTTP/1.1, but I left out the Host: localhost header on the request.

It returned a 400 on Jetty, but logback-access shows it as a 200 with no bytes sent on the response.

But if we use any of the Jetty RequestLog implementations ...

We get the 400 response status, and the 50 bytes sent on the response.

[dimas]

My colleague created this test case - https://github.com/baranchikovaleks/jetty-6973

To be honest I do not know if server returns valid response or not - we never looked at the response. The issue is that server thread hangs starting eating the CPU.
Another check we had is to set a breakpoint in logback's AccessEvent.prepareForDeferredProcessing() and when it is hit - step over couple of method there:

  public void prepareForDeferredProcessing() {
    getRequestHeaderMap();
    getRequestParameterMap();
    getResponseHeaderMap();

The getRequestParameterMap() hangs and if you have debug logs enabled in Jetty - you will see it starts flooding you with messages. He has the issue 100% reproducible on his laptop. On my laptop it is not 100% but requires several attempts sometimes.

I only thought of a security incident because if many people have Jetty configured with logback for their access logs - it is very easy to trigger this condition and you can render server unresponsive with very little effort.

[joakime]

That reproduction is odd.

The looping I experience is actually caused by logback-access not being able to write the log file (the directory /tmp/log/ doesn't exist on my system, and logback-access version 1.2.4 has a bug that keeps retrying infinitely).

When I upgrade logback-access to 1.2.6 I stop experiencing the the spin on attempting to create/write to the log file.
But then it just simply detects that it cannot create/write and essentially no-ops the Logger within logback-access.

If I change the logback-access.xml to have a sane directory location.

<?xml version="1.0" encoding="UTF-8"?>
<configuration debug="true">
    <appender name="file" class="ch.qos.logback.core.rolling.RollingFileAppender">
        <file>logs/access.log</file>
        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
            <fileNamePattern>logs/access.%d{yyyy-MM-dd}.log</fileNamePattern>
        </rollingPolicy>

        <encoder>
            <pattern>combined</pattern>
        </encoder>
    </appender>

    <appender-ref ref="file"/>
</configuration>

And create the logs/ directory within your example project then logback-access keeps running.

So this is now ...

• <logback.version>1.2.6</logback.version>
• logback-access.xml with sane directory locations
• <jetty.version>9.4.41.v20210516<jetty.version>

And yes, I can see the loop in the ManagedSelector.

Lets try upgrading Jetty real quick, as I would personally never run 9.4.41, as its' subject to security advisories - https://www.eclipse.org/jetty/security_reports.php

I upgrade to <jetty.version>9.4.44.v20210927</jetty.version> and try again.

I don't experience the looping in ManagedSelector. Instead I notice that the HttpParser terminates.

06:05:02.900 [qtp611437735-48] DEBUG org.eclipse.jetty.server.HttpChannel - onCompleted for . written=50
06:05:02.907 [qtp611437735-48] WARN org.eclipse.jetty.server.Request - java.lang.IllegalStateException: Parser is terminated: HttpParser{s=CLOSE,0 of -1}
06:05:02,908 |-ERROR in ch.qos.logback.core.rolling.RollingFileAppender[file] - Appender [file] failed to append. org.eclipse.jetty.http.BadMessageException: 400: Unable to parse form content
	at org.eclipse.jetty.http.BadMessageException: 400: Unable to parse form content
	at 	at org.eclipse.jetty.server.Request.getParameters(Request.java:439)
	at 	at org.eclipse.jetty.server.Request.getParameterNames(Request.java:1093)
	at 	at ch.qos.logback.access.spi.AccessEvent.buildRequestParameterMap(AccessEvent.java:338)
	at 	at ch.qos.logback.access.spi.AccessEvent.getRequestParameterMap(AccessEvent.java:351)
	at 	at ch.qos.logback.access.spi.AccessEvent.prepareForDeferredProcessing(AccessEvent.java:584)
	at 	at ch.qos.logback.core.OutputStreamAppender.subAppend(OutputStreamAppender.java:223)
	at 	at ch.qos.logback.core.rolling.RollingFileAppender.subAppend(RollingFileAppender.java:235)
	at 	at ch.qos.logback.core.OutputStreamAppender.append(OutputStreamAppender.java:102)
	at 	at ch.qos.logback.core.UnsynchronizedAppenderBase.doAppend(UnsynchronizedAppenderBase.java:84)
	at 	at ch.qos.logback.core.spi.AppenderAttachableImpl.appendLoopOnAppenders(AppenderAttachableImpl.java:51)
	at 	at ch.qos.logback.access.jetty.RequestLogImpl.log(RequestLogImpl.java:137)
	at 	at org.eclipse.jetty.server.HttpChannel.onCompleted(HttpChannel.java:824)
	at 	at org.eclipse.jetty.server.HttpChannel.onBadMessage(HttpChannel.java:884)
	at 	at org.eclipse.jetty.server.HttpChannelOverHttp.badMessage(HttpChannelOverHttp.java:283)
	at 	at org.eclipse.jetty.http.HttpParser.badMessage(HttpParser.java:1653)
	at 	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1635)
	at 	at org.eclipse.jetty.server.HttpConnection.parseRequestBuffer(HttpConnection.java:381)
	at 	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:265)
	at 	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at 	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at 	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at 	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
	at 	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
	at 	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.IllegalStateException: Parser is terminated: HttpParser{s=CLOSE,0 of -1}
	at 	at org.eclipse.jetty.server.HttpConnection.fillAndParseForContent(HttpConnection.java:322)
	at 	at org.eclipse.jetty.server.HttpInputOverHTTP.produceContent(HttpInputOverHTTP.java:33)
	at 	at org.eclipse.jetty.server.HttpInput.nextContent(HttpInput.java:382)
	at 	at org.eclipse.jetty.server.HttpInput.read(HttpInput.java:316)
	at 	at org.eclipse.jetty.server.HttpInput.read(HttpInput.java:270)
	at 	at org.eclipse.jetty.util.UrlEncoded.decodeUtf8To(UrlEncoded.java:485)
	at 	at org.eclipse.jetty.util.UrlEncoded.decodeTo(UrlEncoded.java:572)
	at 	at org.eclipse.jetty.server.Request.extractFormParameters(Request.java:582)
	at 	at org.eclipse.jetty.server.Request.extractContentParameters(Request.java:531)
	at 	at org.eclipse.jetty.server.Request.getParameters(Request.java:434)
	at 	... 23 common frames omitted

This is better, and is part of the work done in commit 64a7dda for Issue #6491

This state was reached because, the request has no Host header.

06:17:05.447 [qtp1543727556-48] WARN org.example.jetty6973.HttpListener - onRequestFailure(Request(POST .)@16a011d8)
org.eclipse.jetty.http.BadMessageException: 400: No Host
	at org.eclipse.jetty.http.HttpParser.parseFields(HttpParser.java:1203)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1528)
	at org.eclipse.jetty.server.HttpConnection.parseRequestBuffer(HttpConnection.java:381)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:265)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
	at java.base/java.lang.Thread.run(Thread.java:833)

This would be classified as an early failure, found during the HttpParser steps of the request line and headers.
The call to HttpChannel.onBadMessage is Jetty informing the raw HttpChannel / HttpConnection that the request is wholly bad.
A simple call to server.getErrorHandler().badMessageError() is performed to get the "go away" text (a single small buffer), to write back and close the connection.
Then the Request / Response is sent to the server.getRequestLog().log(request,response) to log what happened.
At which point logback-access attempts to read from the request and causes this entire chain of events.

Good to know that newer versions of Jetty don't experience the loop.

The changes I made to your example project can be found at joakime/jetty-6973@95866ba

But I still want to create a PR that prevents the .getParameterNames() and .getInputStream() style calls against the Request from ever reading from the request body, as that's just wrong for a RequestLog to be doing, and changes what actually happened, as logback-access is logging success and bad information, sheerly because it changes the state of the request/response objects in it's own actions.

[dimas]

Firs of all, my apologies for using a complex path to the log file. We did have this directory in /tmp so never ran into the issue you faced first.

I would personally never run 9.4.41, as its' subject to security advisories - https://www.eclipse.org/jetty/security_reports.php

We do normally upgrade Jetty when Github flags repository with a security advisory. I do not know where Github sources their data but none of our repositories with 9.4.41 is flagged with a vulnerability report.

This is better, and is part of the work done in commit 64a7dda for Issue #6491

What is the first version it went into? Because while our debugging and reproduction happened with 9.4.41.v20210516, we also have servers showing high CPU that are on newer 9.4.43.v20210629.

One of the services was also updated to 9.4.44 but it hasn't spent enough time out there yet to conclude if it is hit by the issue or not. I am happy to update Jetty on all our services to that version. (As well as bumping to the latest logback-access)

[dimas]

Checked - we have only two servers running 9.4.44. They are running for 7 days and they did not see that spike in CPU during that time where 9.4.41 saw them multiple times already.

[joakime]

I filed a PR at logback to do things properly ... qos-ch/logback#532

[dimas]

Cool. Let's see what they think of it.
Looking at your PR I am curious why you always catch'ing Throwable everywhere... From my experience you do not want to deal with JVM errors, like classloader failures, OOMs etc. So I wonder why...
Here for example https://github.com/qos-ch/logback/pull/532/files#diff-9b9321bd50b274e1931fecd57ad95ae4eec570599d7cb7e8643995adcf86f7a8L503-R513 it used to be Exception and you changing it to a Throwable...

There is a place where you probing what version of Jetty is there so an Error, not Exception can be thrown, I get it. But you still can catch the one you are interested in (NoClassDefFoundError?) instead of a blanket Throwable...

And this bit I do not get at all - https://github.com/qos-ch/logback/pull/532/files#diff-4bb5c032bf2833e6321a7e70c7cd053757c33356a08d74251e5153e30f7e55d1R233-R241 your catch will catch (and ignore) the very same exception you are throwing yourself...

[dimas]

JFYI, we haven't seen the problem for a week after we upgraded all our servers to the 9.4.44
I do not know if it is just a coincidence or it was properly fixed in that version.

[joakime]

PR #6997 has been opened to address this issue in a different way as well.

Once merged, logback-access cannot access the request body once it reaches the "RequestLog" stage.
The Response is also reset with regards to status / headers to what was actually committed so that logback-access writes the correct information.

[elanvital8]

Thank goodness I finally found this thread. I'm having the same issue and some internet attack is clogging my Jetty servers in this exact way.
I am hoping to find a way to replicate this bug by creating a POST with curl which will cause it, so that I can then upgrade my Jetty servers and/or logback and/or JVM and see if the POST no longer works to trigger this.
Is there any advice on how to artificially trigger this?
Or should I not bother and is it confirmed that upgrading to the latest Jetty server will fix it?

[dimas]

We created a test case - see this comment #6973 (comment)
There is Java code that sends the request that caused problem on our servers.

To find the request - we removed all traffic from the impacted server, observed it still uses a lot of CPU even though not serving any user requests, took a heap dump and analyzed it with a profiler looking at Jetty request threads and what requests they are actually handling. Or you can attach profiler to a running Jetty (still you need to remove new traffic from it).

[elanvital8]

My goodness, thank you so much for responding on a holiday weekend. I was able to take the test and use just the Socket connection piece to hit my test server and it replicated the issue. This will help greatly to know when an upgrade makes it possible to block this, hopefully just with the latest Jetty version.

[dimas]

As per #6973 (comment) - 9.4.44 solved the issue for us. So I guess anything above that should be fine.

[elanvital8]

Thanks again for this solution. Yes, the upgrade also solved it here as well.