3.12.2
4.3.1
3.12.2
CVE-2019-16770 describes a Denial of Service (DoS) vulnerability in the Puma web server. An attacker can exploit this flaw by sending a large number of keepalive requests, potentially overwhelming Puma's reactor and preventing legitimate requests from being processed. This vulnerability affects versions of Puma up to and including 3.9.1, and patches are available in Puma 4.3.1 and 3.12.2.
The primary impact of CVE-2019-16770 is a denial of service. A successful attack can render the Puma web server unresponsive, preventing users from accessing the applications it serves. This can lead to significant disruption of service and potential financial losses. The vulnerability stems from Puma's handling of keepalive connections; if an attacker can open more keepalive connections than Puma has available threads, subsequent connections will be queued indefinitely, effectively starving the server. This is similar to resource exhaustion attacks seen in other web servers, where an attacker attempts to exhaust available resources to cause a crash or outage.
CVE-2019-16770 was published on December 5, 2019. There is no indication of this vulnerability being actively exploited in the wild. It is not listed on KEV (Known Exploited Vulnerabilities) as of the current date. The EPSS (Exploit Prediction Score System) score is likely low, reflecting the lack of public exploits and the relatively simple nature of the attack. No public proof-of-concept (POC) code has been widely reported.
漏洞利用状态
EPSS
1.59% (82% 百分位)
CVSS 向量
The recommended mitigation for CVE-2019-16770 is to upgrade to Puma version 4.3.1 or 3.12.2, which contain the fix. If upgrading is not immediately feasible, a workaround involves configuring a reverse proxy (e.g., Nginx, Apache) in front of Puma to limit the number of keepalive connections allowed to the Puma cluster or process. The limit should be set to a value less than the number of threads Puma is configured to use. For example, if Puma has 10 threads, the reverse proxy should be configured to allow a maximum of 9 keepalive connections. After upgrading, confirm the fix by sending a high volume of keepalive requests to the Puma server and verifying that it remains responsive.
将Puma gem升级到4.3.1或更高版本,或3.12.2或更高版本。这将解决由恶意客户端使用keepalive请求垄断Puma reactor引起的拒绝服务漏洞。运行 `gem update puma` 进行更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2019-16770 is a Denial of Service vulnerability in Puma versions up to 3.9.1. A malicious client can overwhelm Puma's reactor with keepalive requests, causing a denial of service.
You are affected if you are running Puma version 3.9.1 or earlier. Check your Puma version using puma -v.
Upgrade to Puma version 4.3.1 or 3.12.2. As a temporary workaround, configure a reverse proxy to limit keepalive connections.
There is currently no evidence of CVE-2019-16770 being actively exploited in the wild.
Refer to the Puma security advisory for details: https://github.com/puma/puma/security/advisories/GHSA-5g43-x455-744g
上传你的 Gemfile.lock 文件,立即知道是否受影响。