Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhtdzktcTd4OS1qNXFj

Unbounded connection acceptance leads to file handle exhaustion

Impact

All servers running blaze-core <= 0.14.14, including blaze-http and http4s-blaze-server users, are affected.

Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections.

The vast majority of affected users are using it as part of http4s-blaze-server <= 0.21.16. http4s provides a mechanism for limiting open connections, but is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open.

Patches

The issue is fixed in version 0.14.15 for NIO1SocketServerGroup. A maxConnections parameter is added, with a default value of 512. Concurrent connections beyond this limit are rejected. To run unbounded, which is not recommended, set a negative number.

The NIO2SocketServerGroup has no such setting and is now deprecated.

Workarounds

• An Nginx side-car acting as a reverse proxy for the local http4s-blaze-server instance would be able to apply a connection limiting semantic before the sockets reach blaze-core. Nginx’s connection bounding is both asynchronous and properly respects backpressure.
• A similar sidecar strategy is viable for other non-HTTP services running on blaze-core.
• http4s-ember-server is an alternative to http4s-blaze-server, but does not yet have HTTP/2 or web socket support. Its performance in terms of RPS is appreciably behind Blaze’s, and as the newest backend, has substantially less industrial uptake.
• http4s-jetty is an alternative to http4s-blaze-server, but does not yet have web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.
• http4s-tomcat is an alternative to http4s-blaze-server, but does not yet have HTTP/2 web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.

For more information

If you have any questions or comments about this advisory:

• Open an issue in http4s/blaze
• Contact us according to the http4s security policy

Permalink: https://github.com/advisories/GHSA-xmw9-q7x9-j5qc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhtdzktcTd4OS1qNXFj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: over 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-xmw9-q7x9-j5qc, CVE-2021-21293
References:

• https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc
• https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w
• https://github.com/http4s/blaze/commit/4f786177f9fb71ab272f3a5f6c80bca3e5662aa1
• https://nvd.nist.gov/vuln/detail/CVE-2021-21293
• https://github.com/advisories/GHSA-xmw9-q7x9-j5qc

Repository: https://github.com/http4s/blaze
Blast Radius: 3.6

Affected Packages