Keepalive Connections Causing Denial Of Service in puma
CVE-2021-29509

7.5HIGH

Key Information:

Vendor

Puma

Status
Puma
Vendor
CVE Published:
11 May 2021

What is CVE-2021-29509?

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in puma 4.3.8 and 5.3.1. Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.

Affected Version(s)

puma < 4.3.8 < 4.3.8

puma >= 5.0.0, < 5.3.1 < 5.0.0, 5.3.1

References

https://github.com/puma/puma/security/advisories/GHSA-q28...
x_refsource_CONFIRM
https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c...
x_refsource_MISC
https://github.com/puma/puma/security/policy
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.