ghsa-xhv5-w9c5-2r2w
Vulnerability from github
Impact
blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections.
http4s provides a general MaxActiveRequests middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open.
Patches
In 0.21.18, 0.22.0-M3, and 1.0.0-M16, a newmaxConnections property, with a default value of 1024, has been added to the BlazeServerBuilder. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended.
The NIO2 backend does not respect maxConnections. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22.
The connections are bounded in 0.21.17, 0.22.0-M2, and 1.0.0-M14, but the maxConnections parameter was passed incorrectly, making it impossible to change the Blaze default of 512.
Workarounds
- An Nginx side-car acting as a reverse proxy for the local http4s-blaze-server instance would be able to apply a connection limiting semantic before the sockets reach blaze-core. Nginx’s connection bounding is both asynchronous and properly respects backpressure.
- http4s-ember-server is an alternative to http4s-blaze-server, but does not yet have HTTP/2 or web socket support. Its performance in terms of RPS is appreciably behind Blaze’s, and as the newest backend, has substantially less industrial uptake.
- http4s-jetty is an alternative to http4s-blaze-server, but does not yet have web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.
- http4s-tomcat is an alternative to http4s-blaze-server, but does not yet have HTTP/2 web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.
References
See the Blaze GHSA for more on the underlying issue.
For more information
If you have any questions or comments about this advisory: * Open an issue in http4s/http4s * Contact us according to the http4s security policy
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.http4s:http4s-blaze-server_2.12"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.21.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.http4s:http4s-blaze-server_2.13"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.21.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21294"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2021-02-02T21:42:25Z",
"nvd_published_at": "2021-02-02T22:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nblaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections.\n\nhttp4s provides a general `MaxActiveRequests` middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open.\n\n### Patches\n\nIn 0.21.18, 0.22.0-M3, and 1.0.0-M16, a new`maxConnections` property, with a default value of 1024, has been added to the `BlazeServerBuilder`. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended. \n\nThe NIO2 backend does not respect `maxConnections`. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22.\n\nThe connections are bounded in 0.21.17, 0.22.0-M2, and 1.0.0-M14, but the `maxConnections` parameter was passed incorrectly, making it impossible to change the Blaze default of 512. \n\n### Workarounds\n* An Nginx side-car acting as a reverse proxy for the local http4s-blaze-server instance would be able to apply a connection limiting semantic before the sockets reach blaze-core. Nginx\u2019s connection bounding is both asynchronous and properly respects backpressure.\n* http4s-ember-server is an alternative to http4s-blaze-server, but does not yet have HTTP/2 or web socket support. Its performance in terms of RPS is appreciably behind Blaze\u2019s, and as the newest backend, has substantially less industrial uptake.\n* http4s-jetty is an alternative to http4s-blaze-server, but does not yet have web socket support. Its performance in terms of requests per second is somewhat behind Blaze\u2019s, and despite Jetty\u0027s industrial adoption, the http4s integration has substantially less industrial uptake.\n* http4s-tomcat is an alternative to http4s-blaze-server, but does not yet have HTTP/2 web socket support. Its performance in terms of requests per second is somewhat behind Blaze\u2019s, and despite Jetty\u0027s industrial adoption, the http4s integration has substantially less industrial uptake.\n\n### References\n\nSee [the Blaze GHSA](https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc) for more on the underlying issue.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [http4s/http4s](http://github.com/http4s/http4s)\n* Contact us according to the [http4s security policy](https://github.com/http4s/http4s/security/policy)",
"id": "GHSA-xhv5-w9c5-2r2w",
"modified": "2022-10-25T20:51:11Z",
"published": "2021-02-02T21:42:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc"
},
{
"type": "WEB",
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21294"
},
{
"type": "WEB",
"url": "https://github.com/http4s/http4s/commit/987d6589ef79545b9bb2324ac4bdebf82d9a0171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Unbounded connection acceptance in http4s-blaze-server"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.