Platform
ruby
Component
puma
Opgelost in
4.3.9
5.0.1
4.3.8
CVE-2021-29509 is a Denial of Service (DoS) vulnerability affecting Puma, a popular Ruby web server. This issue stems from an incomplete fix for a previous vulnerability (CVE-2019-16770), where excessive persistent connections can exhaust server threads, resulting in service disruption. The vulnerability impacts Puma versions 4.3.7 and earlier, and a fix is available in version 4.3.8.
The core of the vulnerability lies in Puma's handling of persistent connections. An attacker can exploit this by sending a large number of concurrent keep-alive requests. Because the initial fix for CVE-2019-16770 was incomplete, new connections can still be starved by these persistent connections, saturating all threads across all Puma processes in a cluster. This effectively prevents legitimate users from accessing the web server, leading to a denial of service. The blast radius is significant, potentially impacting all users relying on the Puma-powered application. The vulnerability allows for resource exhaustion, making the server unresponsive.
CVE-2021-29509 is related to CVE-2019-16770, highlighting the importance of thorough vulnerability remediation. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it relatively easy to trigger. The vulnerability was published on 2021-05-18. No KEV listing or confirmed exploitation campaigns have been publicly reported as of this writing.
Applications built with Ruby on Rails or other Ruby frameworks that rely on Puma as their web server are at risk. Specifically, deployments using Puma in clustered configurations are more vulnerable due to the potential for widespread thread exhaustion. Legacy applications using older Puma versions are also particularly susceptible.
• linux / server: Use ss or lsof to monitor the number of persistent connections to the Puma server. High connection counts, especially from a single source, could indicate an attack. journalctl -u puma can be used to check for errors related to thread exhaustion.
ss -tan | grep :9000 # Replace 9000 with Puma's port
lsof -i :9000• generic web: Monitor server resource utilization (CPU, memory) for sudden spikes that correlate with increased traffic. Check access logs for unusual patterns of persistent connections from specific IP addresses.
curl -v https://your-puma-server.com/ # Observe keep-alive headersdisclosure
Exploit Status
EPSS
1.36% (80% percentiel)
CVSS-vector
The primary mitigation for CVE-2021-29509 is to upgrade to Puma version 4.3.8 or later, which includes the complete fix. If an immediate upgrade is not feasible, consider implementing rate limiting on incoming connections to prevent an attacker from overwhelming the server with persistent requests. Web Application Firewalls (WAFs) can also be configured to detect and block suspicious connection patterns. Monitor Puma's thread usage and connection counts to identify potential attacks. After upgrading, confirm the fix by simulating a high volume of persistent connections and verifying that the server remains responsive.
Actualice la gema `puma` a la versión 4.3.8 o superior, o a la versión 5.3.1 o superior. Alternativamente, puede establecer `queue_requests false` en la configuración de Puma, aunque esto no se recomienda si no está utilizando un proxy inverso como Nginx o Apache.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2021-29509 is a Denial of Service vulnerability in Puma, a Ruby web server, where excessive persistent connections can exhaust server threads, leading to service disruption.
Yes, if you are using Puma version 4.3.7 or earlier, you are affected by this vulnerability. Upgrade to version 4.3.8 or later to mitigate the risk.
The recommended fix is to upgrade to Puma version 4.3.8 or later. If an immediate upgrade is not possible, implement rate limiting and monitor server resource usage.
While no confirmed exploitation campaigns have been publicly reported, the vulnerability's nature makes it relatively easy to trigger, so vigilance is advised.
You can find the official advisory on the Puma GitHub security advisories page: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Gemfile.lock-bestand en we vertellen je direct of je getroffen bent.