ghsa-q28m-8xjw-8vr5
Vulnerability from github
This vulnerability is related to CVE-2019-16770.
Impact
The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.
A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.
Patches
This problem has been fixed in puma 4.3.8 and 5.3.1.
Workarounds
Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris).
The fix is very small. A git patch is available here for those using unsupported versions of Puma.
For more information
If you have any questions or comments about this advisory:
- Open an issue in Puma.
- To report problems with this fix or to report another vulnerability, see our security policy.
Acknowledgements
Thank you to @MSP-Greg, @wjordan and @evanphx for their review on this issue.
Thank you to @ioquatix for providing a modified fork of wrk which made debugging this issue much easier.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.3.7"
},
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.3.0"
},
"package": {
"ecosystem": "RubyGems",
"name": "puma"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.3.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29509"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T01:26:55Z",
"nvd_published_at": "2021-05-11T17:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability is related to [CVE-2019-16770](https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994).\n\n### Impact\n\nThe fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.\n\nA `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.\n\n### Patches\n\nThis problem has been fixed in `puma` 4.3.8 and 5.3.1.\n\n### Workarounds\n\nSetting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. [slowloris](https://en.wikipedia.org/wiki/Slowloris_(computer_security))).\n\nThe fix is very small. [A git patch is available here](https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837) for those using [unsupported versions](https://github.com/puma/puma/security/policy#supported-versions) of Puma.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [Puma](https://github.com/puma/puma).\n* To report problems with this fix or to report another vulnerability, see [our security policy.](https://github.com/puma/puma/security/policy)\n\n### Acknowledgements\n\nThank you to @MSP-Greg, @wjordan and @evanphx for their review on this issue. \n\nThank you to @ioquatix for providing a modified fork of `wrk` which made debugging this issue much easier.",
"id": "GHSA-q28m-8xjw-8vr5",
"modified": "2023-05-16T16:19:44Z",
"published": "2021-05-18T01:27:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29509"
},
{
"type": "WEB",
"url": "https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837"
},
{
"type": "PACKAGE",
"url": "https://github.com/puma/puma"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/policy"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-29509.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"type": "WEB",
"url": "https://rubygems.org/gems/puma"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-28"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Puma\u0027s Keepalive Connections Causing Denial Of Service"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.