High CPU in io.undertow.protocols.ssl.SslConduit.wrapAndFlip or SslConduit.doWrap in JBoss EAP 7.x or RH-SSO 7.x after updating to JDK 8 u361+, JDK 11.0.18+, or JDK 17.0.6+

Solution Verified - Updated -

Issue

  • JBoss EAP 7 (or RH-SSO 7) hits high CPU from threads in:
"default I/O-3" #267 prio=5 os_prio=0 cpu=1381880.45ms elapsed=6040.85s tid=0x000056398e628800 nid=0x45f4 runnable  [0x00007f46cebfb000]
   java.lang.Thread.State: RUNNABLE
        at sun.security.ssl.SSLEngineImpl.writeRecord(java.base@11.0.18/SSLEngineImpl.java:199)
        at sun.security.ssl.SSLEngineImpl.wrap(java.base@11.0.18/SSLEngineImpl.java:136)
        - eliminated <0x00000000b25b2148> (a sun.security.ssl.SSLEngineImpl)
        at sun.security.ssl.SSLEngineImpl.wrap(java.base@11.0.18/SSLEngineImpl.java:116)
        - locked <0x00000000b25b2148> (a sun.security.ssl.SSLEngineImpl)
        at javax.net.ssl.SSLEngine.wrap(java.base@11.0.18/SSLEngine.java:482)
        at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.wrap(ALPNLimitingSSLEngine.java:64)
        at io.undertow.protocols.ssl.SslConduit.wrapAndFlip(SslConduit.java:1004)
        at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:940)
        - locked <0x00000000b25b2168> (a io.undertow.protocols.ssl.SslConduit)
        at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:673)
        at io.undertow.protocols.ssl.SslConduit.access$1000(SslConduit.java:70)
        at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1148)
        - locked <0x00000000b25b2168> (a io.undertow.protocols.ssl.SslConduit)
        at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:479)
  • Or high CPU in:
"default I/O-4" #102 prio=5 os_prio=0 cpu=1256508.47ms elapsed=262989.74s tid=0x000055af27a1a000 nid=0x45f5 runnable  [0x00007f922bd98000]
   java.lang.Thread.State: RUNNABLE
    at sun.security.ssl.SSLEngineImpl.writeRecord(java.base@11.0.18/SSLEngineImpl.java:199)
    at sun.security.ssl.SSLEngineImpl.wrap(java.base@11.0.18/SSLEngineImpl.java:136)
    - eliminated <0x00000000c828d458> (a sun.security.ssl.SSLEngineImpl)
    at sun.security.ssl.SSLEngineImpl.wrap(java.base@11.0.18/SSLEngineImpl.java:116)
    - locked <0x00000000c828d458> (a sun.security.ssl.SSLEngineImpl)
    at javax.net.ssl.SSLEngine.wrap(java.base@11.0.18/SSLEngine.java:482)
    at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.wrap(ALPNLimitingSSLEngine.java:62)
    at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:870)
    at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:649)
    at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
    at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1048)
    - locked <0x00000000c828d400> (a io.undertow.protocols.ssl.SslConduit)
    at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612)
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:479)
  • After upgrading our JDK to the latest, we are seeing high CPU and unresponsiveness on JBoss EAP 7 when any Qualys security scan is run

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP) 7.x
  • Red Hat Single Sign On (RH-SSO) 7.x
  • Java / OpenJDK
    • 1.8.0u361+
    • 11.0.18+
    • 17.0.6+

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content