CVE-2021-29509

Keepalive Connections Causing Denial Of Service in puma

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.

Puma es un servidor HTTP versión 1.1 concurrente para aplicaciones Ruby/Rack. La solución para CVE-2019-16770 estaba incompleta. La corrección original solo protegía las conexiones existentes que ya habían sido aceptadas para evitar que sus peticiones se vieran muertas por conexiones persistentes codiciosas que saturaban todos los hilos en el mismo proceso. Sin embargo, es posible que las conexiones persistentes codiciosas sigan privando a las nuevas conexiones que saturan todos los subprocesos en todos los procesos del clúster. Un servidor "puma" que recibiera más conexiones "keep-alive" simultáneas de las que el servidor tenía subprocesos en su grupo de subprocesos daría servicio sólo a un subconjunto de conexiones, negando el servicio a las conexiones no atendidas. Este problema se ha solucionado en "puma" versiones 4.3.8 y 5.3.1. La configuración de "queue_requests false" también soluciona el problema. Esto no se recomienda cuando se usa "puma" sin un proxy inverso, como "nginx" o "apache", porque te expondrás a ataques lentos de clientes (por ejemplo, slowloris). La solución es muy pequeña y hay un parche de git disponible para aquellos que usan versiones no compatibles de Puma

A flaw was found in rubygem-puma. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-03-30 CVE Reserved
2021-05-11 CVE Published
2024-06-13 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-667: Improper Locking

CAPEC

References (8)

URL	Tag	Source
https://github.com/puma/puma/security/policy	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html	Mailing List
https://rubygems.org/gems/puma	Product

URL	Date	SRC

URL	Date	SRC
https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837	2022-10-27
https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5	2022-10-27

URL	Date	SRC
https://security.gentoo.org/glsa/202208-28	2022-10-27
https://access.redhat.com/security/cve/CVE-2021-29509	2021-11-16
https://bugzilla.redhat.com/show_bug.cgi?id=1964874	2021-11-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Puma Search vendor "Puma"		Puma Search vendor "Puma" for product "Puma"				< 4.3.8 Search vendor "Puma" for product "Puma" and version " < 4.3.8"		ruby		Affected
Puma Search vendor "Puma"		Puma Search vendor "Puma" for product "Puma"				>= 5.0.0 < 5.3.1 Search vendor "Puma" for product "Puma" and version " >= 5.0.0 < 5.3.1"		ruby		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected