Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A puma
server which received more concurrent keep-alive
connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in puma
4.3.8 and 5.3.1. Setting queue_requests false
also fixes the issue. This is not advised when using puma
without a reverse proxy, such as nginx
or apache
, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.
The product does not properly control the allocation and maintenance of a limited resource.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Puma | Puma | * | 4.3.8 (excluding) |
Puma | Puma | 5.0.0 (including) | 5.3.1 (excluding) |
Red Hat Satellite 6.10 for RHEL 7 | RedHat | tfm-rubygem-puma-0:5.3.2-1.el7sat | * |
Puma | Ubuntu | groovy | * |
Puma | Ubuntu | hirsute | * |
Puma | Ubuntu | impish | * |
Puma | Ubuntu | trusty | * |
Puma | Ubuntu | upstream | * |
Puma | Ubuntu | xenial | * |
Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.