GHSA-q28m-8xjw-8vr5

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-q28m-8xjw-8vr5/GHSA-q28m-8xjw-8vr5.json
Aliases
Published
2021-05-18T01:27:15Z
Modified
2022-09-21T03:43:13.325071Z
Details

This vulnerability is related to CVE-2019-16770.

Impact

The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster.

A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.

Patches

This problem has been fixed in puma 4.3.8 and 5.3.1.

Workarounds

Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris).

The fix is very small. A git patch is available here for those using unsupported versions of Puma.

For more information

If you have any questions or comments about this advisory:

Acknowledgements

Thank you to @MSP-Greg, @wjordan and @evanphx for their review on this issue.

Thank you to @ioquatix for providing a modified fork of wrk which made debugging this issue much easier.

References

Affected packages

RubyGems / puma

puma

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
4.3.8

Affected versions

0.*

0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5

1.*

1.0.0
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.4.0
1.5.0
1.6.0
1.6.1
1.6.2
1.6.3

2.*

2.0.0
2.0.0.b1
2.0.0.b2
2.0.0.b3
2.0.0.b4
2.0.0.b5
2.0.0.b6
2.0.0.b7
2.0.1
2.1.0
2.1.1
2.10.0
2.10.1
2.10.2
2.11.0
2.11.1
2.11.2
2.11.3
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.14.0
2.15.0
2.15.1
2.15.2
2.15.3
2.16.0
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.5.0
2.5.1
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.8.2
2.9.0
2.9.1
2.9.2

3.*

3.0.0
3.0.0.rc1
3.0.1
3.0.2
3.1.0
3.1.1
3.10.0
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.12.0
3.12.1
3.12.2
3.12.4
3.12.5
3.12.6
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1
3.5.2
3.6.0
3.6.1
3.6.2
3.7.0
3.7.1
3.8.0
3.8.1
3.8.2
3.9.0
3.9.1

4.*

4.0.0
4.0.1
4.1.0
4.1.1
4.2.0
4.2.1
4.3.0
4.3.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7

Database specific

{
    "last_known_affected_version_range": "<= 4.3.7"
}

RubyGems / puma

puma

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.3.1

Affected versions

5.*

5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.1.0
5.1.1
5.2.0
5.2.1
5.2.2
5.3.0

Database specific

{
    "last_known_affected_version_range": "<= 5.3.0"
}