Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 8.19.0
Affects Version/s: 8.14.0, 8.16.1, 8.18.1
Component/s: User Management - Others
Labels:

Introduced in Version:
8.14
Support reference count:
7
Symptom Severity:
Severity 2 - Major
UIS:
54
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

In Jira 8.14 we added a security feature that made encrypted passwords more secure in how they are stored and handled, see more details Password encryption.

After enabling this feature, Jira may stall during very heavy application usage due to contention on the LocalCache by the CachedEncryptor.decrypt method.

Currently, CachedEncryptor.decrypt has a limit of 4 concurrent requests which may cause the bottleneck. Additionally, stored passwords are invalidated after 10 minutes which leads to an increased number of requests.

The stacktrace looks as follows:

sun.misc.Unsafe.park(Native Method)
 java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
 java.util.concurrent.locks.AbstractQueuedSynchronizer.parkAndCheckInterrupt(AbstractQueuedSynchronizer.java:836)
 java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireQueued(AbstractQueuedSynchronizer.java:870)
 java.util.concurrent.locks.AbstractQueuedSynchronizer.acquire(AbstractQueuedSynchronizer.java:1199)
 java.util.concurrent.locks.ReentrantLock$NonfairSync.lock(ReentrantLock.java:209)
 java.util.concurrent.locks.ReentrantLock.lock(ReentrantLock.java:285)
 com.google.common.cache.LocalCache$Segment.compute(LocalCache.java:2194)
 com.google.common.cache.LocalCache.compute(LocalCache.java:4197)
 com.google.common.cache.LocalCache.computeIfAbsent(LocalCache.java:4204)
 com.atlassian.crowd.crypto.CachedEncryptor.decrypt(CachedEncryptor.java:63)
 com.atlassian.crowd.crypto.SaltingEncryptor.decrypt(SaltingEncryptor.java:33)
 com.atlassian.crowd.crypto.MissingKeyHandlingEncryptor.decrypt(MissingKeyHandlingEncryptor.java:31)
 com.atlassian.crowd.crypto.PrefixBasedSwitchableEncryptor.decrypt(PrefixBasedSwitchableEncryptor.java:60)
 com.atlassian.crowd.crypto.ClusterLockingEncryptor.decrypt(ClusterLockingEncryptor.java:32)
 com.atlassian.jira.crowd.embedded.encryptors.JiraEncryptor.decrypt(JiraEncryptor.java:40)
 com.atlassian.crowd.crypto.DirectoryPasswordsEncryptor$$Lambda$1376/1299619370.apply(Unknown Source)
 com.atlassian.crowd.crypto.DirectoryPasswordsEncryptor.lambda$transformPasswordAttributes$0(DirectoryPasswordsEncryptor.java:32)
 com.atlassian.crowd.crypto.DirectoryPasswordsEncryptor$$Lambda$1377/330450352.apply(Unknown Source)
 java.util.HashMap.replaceAll(HashMap.java:1305)
 com.atlassian.crowd.crypto.DirectoryPasswordsEncryptor.transformPasswordAttributes(DirectoryPasswordsEncryptor.java:31)
 com.atlassian.crowd.crypto.DirectoryPasswordsEncryptor.decryptPasswords(DirectoryPasswordsEncryptor.java:20)
 com.atlassian.crowd.crypto.EncryptingDirectoryDAO$$Lambda$1375/1648181244.apply(Unknown Source)

Workaround

There are 2 workarounds available.

Workaround 1

Increase the retention period for the caches to ~30 minutes.

Stop Jira.
Add the following system property: -Dcrowd.encryption.cache.expire.minutes=30
- To verify where the property should be configured for your instance please refer to: Setting properties and options on startup
Start Jira

Workaround 2

If workaround 1 is not sufficient enough to handle the CachedEncryptor.decrypt requests, a sysadmin may disable the feature.

Navigate to System → General configuration → Advanced Settings in the admin panel.
Find option crowd.encryption.encryptor.default and set it’s value to DISABLED.

Attachments

Issue Links

is related to

CWD-1876 Encrypt all external system passwords in Crowd's database

Closed

depends on: KRAK-4285 Loading...; UCACHE-23 Loading...

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

relates to: KRAK-4245 Loading...

(8 mentioned in, 1 relates to)

Activity

People

Assignee:: Antoni Kowalski

Reporter:: Steven de Groot

Votes:: 3 Vote for this issue

Watchers:: 13 Start watching this issue

Dates

Created:: 01/Jun/2021 12:56 PM

Updated:: 30/Nov/2023 4:09 PM

Resolved:: 26/Aug/2021 6:38 PM