GHSA-q28m-8xjw-8vr5

Source

https://github.com/advisories/GHSA-q28m-8xjw-8vr5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-q28m-8xjw-8vr5/GHSA-q28m-8xjw-8vr5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q28m-8xjw-8vr5

Aliases

CVE-2021-29509

Published

2021-05-18T01:27:15Z

Modified

2023-11-08T04:05:36.083528Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Puma's Keepalive Connections Causing Denial Of Service

Details

This vulnerability is related to CVE-2019-16770.

Impact

The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.

A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.

Patches

This problem has been fixed in puma 4.3.8 and 5.3.1.

Workarounds

Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris).

The fix is very small. A git patch is available here for those using unsupported versions of Puma.

For more information

If you have any questions or comments about this advisory:

Open an issue in Puma.
To report problems with this fix or to report another vulnerability, see our security policy.

Acknowledgements

Thank you to @MSP-Greg, @wjordan and @evanphx for their review on this issue.

Thank you to @ioquatix for providing a modified fork of wrk which made debugging this issue much easier.

References

Affected packages

RubyGems / puma

Package

Name: puma
Purl: pkg:gem/puma

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.8

Affected versions

0.*

0.8.0

0.8.1

0.8.2

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

1.*

1.0.0

1.1.0

1.1.1

1.2.0

1.2.1

1.2.2

1.3.0

1.3.1

1.4.0

1.5.0

1.6.0

1.6.1

1.6.2

1.6.3

2.*

2.0.0.b1

2.0.0.b2

2.0.0.b3

2.0.0.b4

2.0.0.b5

2.0.0.b6

2.0.0.b7

2.0.0

2.0.1

2.1.0

2.1.1

2.2.0

2.2.1

2.2.2

2.3.0

2.3.1

2.3.2

2.4.0

2.4.1

2.5.0

2.5.1

2.6.0

2.7.0

2.7.1

2.8.0

2.8.1

2.8.2

2.9.0

2.9.1

2.9.2

2.10.0

2.10.1

2.10.2

2.11.0

2.11.1

2.11.2

2.11.3

2.12.0

2.12.1

2.12.2

2.12.3

2.13.0

2.13.1

2.13.2

2.13.3

2.13.4

2.14.0

2.15.0

2.15.1

2.15.2

2.15.3

2.16.0

3.*

3.0.0.rc1

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

3.2.0

3.3.0

3.4.0

3.5.0

3.5.1

3.5.2

3.6.0

3.6.1

3.6.2

3.7.0

3.7.1

3.8.0

3.8.1

3.8.2

3.9.0

3.9.1

3.10.0

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.12.0

3.12.1

3.12.2

3.12.4

3.12.5

3.12.6

4.*

4.0.0

4.0.1

4.1.0

4.1.1

4.2.0

4.2.1

4.3.0

4.3.1

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

Database specific

{
    "last_known_affected_version_range": "<= 4.3.7"
}

RubyGems / puma

Package

Name: puma
Purl: pkg:gem/puma

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.3.1

Affected versions

5.*

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.1.0

5.1.1

5.2.0

5.2.1

5.2.2

5.3.0

Database specific

{
    "last_known_affected_version_range": "<= 5.3.0"
}