CVE-2021-29509 – Keepalive Connections Causing Denial Of Service in puma

https://notcve.org/view.php?id=CVE-2021-29509

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. • https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837 https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5 https://github.com/puma/puma/security/policy https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html https://rubygems.org/gems/puma https://security.gentoo.org/glsa/202208-28 https://access.redhat.com/security/cve/CVE-2021-29509 https://bugzilla.redhat.com/show_bug.cgi?id=1964874 • CWE-400: Uncontrolled Resource Consumption CWE-667: Improper Locking •