Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhtdzktcTd4OS1qNXFj
Unbounded connection acceptance leads to file handle exhaustion
Impact
All servers running blaze-core <= 0.14.14, including blaze-http and http4s-blaze-server users, are affected.
Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections.
The vast majority of affected users are using it as part of http4s-blaze-server <= 0.21.16. http4s provides a mechanism for limiting open connections, but is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open.
Patches
The issue is fixed in version 0.14.15 for NIO1SocketServerGroup
. A maxConnections
parameter is added, with a default value of 512. Concurrent connections beyond this limit are rejected. To run unbounded, which is not recommended, set a negative number.
The NIO2SocketServerGroup
has no such setting and is now deprecated.
Workarounds
- An Nginx side-car acting as a reverse proxy for the local http4s-blaze-server instance would be able to apply a connection limiting semantic before the sockets reach blaze-core. Nginx’s connection bounding is both asynchronous and properly respects backpressure.
- A similar sidecar strategy is viable for other non-HTTP services running on blaze-core.
- http4s-ember-server is an alternative to http4s-blaze-server, but does not yet have HTTP/2 or web socket support. Its performance in terms of RPS is appreciably behind Blaze’s, and as the newest backend, has substantially less industrial uptake.
- http4s-jetty is an alternative to http4s-blaze-server, but does not yet have web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.
- http4s-tomcat is an alternative to http4s-blaze-server, but does not yet have HTTP/2 web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.
For more information
If you have any questions or comments about this advisory:
- Open an issue in http4s/blaze
- Contact us according to the http4s security policy
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhtdzktcTd4OS1qNXFj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-xmw9-q7x9-j5qc, CVE-2021-21293
References:
- https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc
- https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w
- https://github.com/http4s/blaze/commit/4f786177f9fb71ab272f3a5f6c80bca3e5662aa1
- https://nvd.nist.gov/vuln/detail/CVE-2021-21293
- https://github.com/advisories/GHSA-xmw9-q7x9-j5qc
Blast Radius: 3.6
Affected Packages
maven:org.http4s:blaze-core_2.13
Dependent packages: 1Dependent repositories: 3
Downloads:
Affected Version Ranges: < 0.14.15
Fixed in: 0.14.15
All affected versions: 0.14.5, 0.14.6, 0.14.7, 0.14.8, 0.14.9, 0.14.10, 0.14.11, 0.14.12, 0.14.13, 0.14.14
All unaffected versions: 0.14.15, 0.14.16, 0.14.17, 0.14.18, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.23.12, 0.23.13, 0.23.14, 0.23.15, 0.23.16
maven:org.http4s:blaze-core_2.12
Dependent packages: 1Dependent repositories: 3
Downloads:
Affected Version Ranges: < 0.14.15
Fixed in: 0.14.15
All affected versions: 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.12.12, 0.12.13, 0.13.0, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5, 0.14.6, 0.14.7, 0.14.8, 0.14.9, 0.14.10, 0.14.11, 0.14.12, 0.14.13, 0.14.14
All unaffected versions: 0.14.15, 0.14.16, 0.14.17, 0.14.18, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.23.12, 0.23.13, 0.23.14, 0.23.15, 0.23.16
maven:org.http4s:blaze-core_2.11
Dependent packages: 1Dependent repositories: 3
Downloads:
Affected Version Ranges: < 0.14.15
Fixed in: 0.14.15
All affected versions: 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.7.0, 0.9.0, 0.10.0, 0.10.1, 0.11.0, 0.12.0, 0.12.1, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.12.12, 0.12.13, 0.13.0, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5, 0.14.6, 0.14.7, 0.14.8, 0.14.9, 0.14.10, 0.14.11, 0.14.12, 0.14.13, 0.14.14
All unaffected versions: 0.14.15, 0.14.16, 0.14.17, 0.14.18