Bug 1964874 (CVE-2021-29509) - CVE-2021-29509 rubygem-puma: incomplete fix for CVE-2019-16770 allows Denial of Service (DoS)
Summary: CVE-2021-29509 rubygem-puma: incomplete fix for CVE-2019-16770 allows Denial ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-29509
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1964875 1964966 1965333
Blocks: 1964876 1997390
TreeView+ depends on / blocked
 
Reported: 2021-05-26 09:07 UTC by Marian Rehak
Modified: 2021-12-14 18:47 UTC (History)
35 users (show)

Fixed In Version: puma 4.3.8, puma 5.3.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-puma. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.
Clone Of:
Environment:
Last Closed: 2021-11-13 15:48:35 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:08:14 UTC

Description Marian Rehak 2021-05-26 09:07:20 UTC
The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.

External Reference:

https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5

Comment 1 Marian Rehak 2021-05-26 09:07:56 UTC
Created rubygem-puma tracking bugs for this issue:

Affects: fedora-all [bug 1964875]

Comment 9 errata-xmlrpc 2021-11-16 14:08:12 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702


Note You need to log in before you can comment on or make changes to this bug.