CVE-2021-29509
Published: 11 May 2021
Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.
Priority
Status
Package | Release | Status |
---|---|---|
puma Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Not vulnerable
(3.12.4-1ubuntu2)
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Not vulnerable
(5.5.2-2ubuntu2)
|
|
kinetic |
Not vulnerable
(5.5.2-2ubuntu2)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.3.8, 5.3.1)
|
|
xenial |
Ignored
(end of standard support)
|
|
Patches: upstream: https://github.com/puma/puma/commit/df72887170c7ef3614c941c9bdefb4a1f3546ebf |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |