java-1.6.0-openjdk and java-1.6.0-sun security updates introduce a regression bug affecting JDBC connections to Microsoft SQL Server

Solution Verified - Updated -

Environment

  • OpenJDK 1.6.0-openjdk (on Red Hat Enterprise Linux)
    • 1.6.0.0-1.23.1.9.10.el5_7
    • 1.6.0.0-1.40.1.9.10.el6_
  • Oracle JDK 1.6.0 update 29
  • MSSQL JDBC driver
  • JBoss Enterprise Application Platform

Issue

RHSA-2011-1380 (java-1.6.0-openjdk) and RHSA-2011-1384 (java-1.6.0-sun) introduce a regression that can cause certain SSL connections as well as JDBC connections to Microsoft SQL Server databases to fail. This regression is detailed in the following bugs:

This issue affects the TLS_DH_anon_WITH_AES_128_CBC_SHA SSL cipher suite, as well as connections to Microsoft SQL Server via JDBC. It may also affect other cipher suites; testing to confirm this is ongoing. This issue is known to affect JBoss products which host applications that use JDBC to communicate with Microsoft SQL Server.

It can cause affected servers to hang on startup. This hanging behavior can be identified by a thread dump that shows threads hanging with stack traces such as the following:

"main" prio=10 tid=0x00002aaab00ad000 nid=0x5d40 runnable [0x000000004045a000]
   java.lang.Thread.State: RUNNABLE
     at java.net.SocketInputStream.socketRead0(Native Method)
     at java.net.SocketInputStream.read(SocketInputStream.java:146)
     at com.microsoft.sqlserver.jdbc.TDSChannel.read(IOBuffer.java:1647)
     at com.microsoft.sqlserver.jdbc.TDSReader.readPacket(IOBuffer.java:3694)
     - locked <0x00000000ef9f7d78> (a com.microsoft.sqlserver.jdbc.TDSReader)
     at com.microsoft.sqlserver.jdbc.TDSCommand.startResponse(IOBuffer.java:5026)
     at com.microsoft.sqlserver.jdbc.TDSCommand.startResponse(IOBuffer.java:4978)
     at com.microsoft.sqlserver.jdbc.SQLServerConnection$1ConnectionCommand.doExecute(SQLServerConnection.java:1441)
     at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:4575)
     at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:1400)
     - locked <0x00000000ef7bfae0> (a java.lang.Object)
     at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectionCommand(SQLServerConnection.java:1446)
     at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:1907)
     at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$000(SQLServerConnection.java:41)
     at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:1893)
     at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:4575)
     at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:1400)
     - locked <0x00000000ef7bfae0> (a java.lang.Object)
     at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1045)
     at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:817)
     at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:700)
     at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:842)
     at org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:207)
     at org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:195)
     at org.jboss.resource.connectionmanager.InternalManagedConnectionPool.createConnectionEventListener(InternalManagedConnectionPool.java:639)
     at org.jboss.resource.connectionmanager.InternalManagedConnectionPool.getConnection(InternalManagedConnectionPool.java:273)
     at org.jboss.resource.connectionmanager.JBossManagedConnectionPool$BasePool.getConnection(JBossManagedConnectionPool.java:690)
     at org.jboss.resource.connectionmanager.BaseConnectionManager2.getManagedConnection(BaseConnectionManager2.java:404)
     at org.jboss.resource.connectionmanager.TxConnectionManager.getManagedConnection(TxConnectionManager.java:424)
     at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:496)
     at org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)
     at org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:89)

Resolution

It may be possible to work around this issue by disabling the jsse.enableCBCProtection property. This can be achieved by passing the parameter -Djsse.enableCBCProtection=false to the Java process. Limited testing has shown this workaround to be effective. If this does not resolve the issue, it is recommended that you downgrade the affected package to the version prior to the security updates (RHSA-2011-1380 for java-1.6.0-openjdk, RHSA-2011-1384 for java-1.6.0-sun). Downgrading these packages will remove the security fixes applied by the updates. This regression will be addressed in a future release of the affected packages, without the need for a workaround.

Diagnostic Steps

  • Troubleshoot using thread dumps and additional steps mentioned in Java application unresponsive
  • Determine whether the JDK was updated recently.
  • This  should be reproducible outside of JBoss and more complicated Java  applications.  In a simple test scenario with a class that solely opens a  connection to the database, does it  hang in a similar manner?
  • Check for any known issues specific to the database and driver version in use.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments