CVE-2021-29509
Denial of Service vulnerability in puma (RubyGems)
What is CVE-2021-29509 About?
This vulnerability is an incomplete fix for a previous denial of service (DoS) flaw in Puma, where new connections can still be starved by greedy persistent connections. It allows attackers to render the server unresponsive by saturating all threads across all processes. Exploitation is relatively straightforward for an attacker who can establish multiple keep-alive connections.
Affected Software
- puma
- >=5.0.0, <5.3.1
- <4.3.8
Technical Details
This vulnerability is a refinement of CVE-2019-16770. While the original fix addressed thread starvation within a single process, the updated issue shows that new connections can still be starved. A Puma server, when configured in a clustered mode, can have all its threads across all worker processes saturated by an insufficient number of 'greedy' persistent keep-alive connections. Attackers can hold open many keep-alive connections without sending new requests, forcing new legitimate connections to queue indefinitely or be rejected, leading to a denial of service.
What is the Impact of CVE-2021-29509?
Successful exploitation may allow attackers to make the server unresponsive by exhausting connection resources, leading to a denial of service for legitimate users and affecting application availability.
What is the Exploitability of CVE-2021-29509?
Exploitation is of low complexity, requiring the ability to establish a large number of HTTP keep-alive connections to the server. No authentication or specific privileges are required, making this a remote attack. The primary risk factor is the direct exposure of the Puma server to untrusted network traffic without adequate connection limiting or timeout configurations at a load balancer or proxy level. The effectiveness of the attack is amplified when the server runs in a clustered mode where threads across all processes can be saturated.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-29509?
Available Upgrade Options
- puma
- <4.3.8 → Upgrade to 4.3.8
- puma
- >=5.0.0, <5.3.1 → Upgrade to 5.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-29509
- https://security.gentoo.org/glsa/202208-28
- https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-29509.yml
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://osv.dev/vulnerability/GHSA-q28m-8xjw-8vr5
- https://rubygems.org/gems/puma
- https://github.com/puma/puma/security/policy
What are Similar Vulnerabilities to CVE-2021-29509?
Similar Vulnerabilities: CVE-2024-21647 , CVE-2019-16770 , CVE-2018-1000539 , CVE-2017-7657 , CVE-2015-8855
