tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat 8.5 NIO w/ SSL Windows CPU issues
Date Wed, 10 Aug 2016 15:46:49 GMT
Hash: SHA256


On 8/10/16 6:15 AM, Mike Noordermeer wrote:
> Hi,
> After an upgrade to Tomcat 8.5, we are experiencing an issue where 
> Tomcat starts generating a high CPU load (100%), probably after an 
> HTTP network scan. The bug seems to be related to Windows, NIO and 
> possibly SSL. I have a Yourkit dump and several thread dumps that
> show the issue, and was wondering if anyone is interested in this,
> and if we can gather any extra information to help debug this
> issue.
> Setup: Windows 2k8r2, Tomcat 8.5.4, Java 8u102, NIO HTTP and NIO
> JSSE HTTPS connector.
> Out of nothing, Tomcat starts using 100% CPU. I made some thread 
> dumps, available here:
> I also have some Yourkit stats available, but as these may contain 
> confidential information, I won't share them in public. Basically, 
> what we see is that the thread https-jsse-nio-443-ClientPoller-0
> is continuously runnable and using CPU on 
>$SubSelector.poll0(), and various
> other https-jsse-nio-443-exec threads are waiting (parked) or
> running. These threads together take up all the CPU. A Yourkit
> thread view showing the issue starting around 11:02:
> We _suspect_ the issue is triggered by an HTTP scan, which
> generates the following requests in the access log, but we are
> still trying to confirm this:
> Also, we are trying to confirm whether or not NIO2 shows the same
> behaviour.
> The behaviour seems to be the same as in this tomcat-users thread: 
>  A similar issue is mentioned for some other products, but I'm not
> sure if there's a relation:
> Our next steps are:
> - Switching the production site to NIO2, to see if that fixes the
> issue - Checking if we can reproduce the issue by triggering the
> HTTP vulnerability scan manually
> Any ideas or requests for more information are more than welcome.

Are you fronting with a web server/reverse proxy? Those "-" requests
looks suspiciously like the kinds of requests that Apache httpd makes
to itself to verify that worker threads are still available for
certain things.

Maybe that's a way that HTTP scanners are trying to avoid detection:
by looking like "normal" stuff in the logs.

I'm curious... why are the requests coming from ""... isn't that
within your own network? Shouldn't you KNOW what that stuff is?

- -chris
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message