Bug 1188527 (CVE-2021-29509) - VUL-0: CVE-2021-29509: rubygem-puma: incomplete fix for allows Denial of Service (DoS)
Summary: VUL-0: CVE-2021-29509: rubygem-puma: incomplete fix for allows Denial of Ser...
Status: RESOLVED FIXED
Alias: CVE-2021-29509
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/284117/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-29509:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-20 15:55 UTC by Wolfgang Frisch
Modified: 2024-05-10 17:52 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2021-07-20 15:55:20 UTC
CVE-2021-29509

The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections.

External Reference:

https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1964874
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29509
https://github.com/puma/puma/security/policy
https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
http://www.cvedetails.com/cve/CVE-2021-29509/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29509
https://rubygems.org/gems/puma
https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837
Comment 2 Wolfgang Frisch 2021-07-20 16:08:53 UTC
SUSE:SLE-15:Update  Affected [1]
[1] according to upstream
Comment 4 Swamp Workflow Management 2021-08-17 19:23:46 UTC
SUSE-SU-2021:2761-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1188527
CVE References: CVE-2021-29509
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    rubygem-puma-2.16.0-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-09-02 13:29:57 UTC
# maintenance_jira_update_notice
SUSE-SU-2021:2914-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1188527
CVE References: CVE-2021-29509
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    rubygem-puma-2.16.0-4.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Christian Almeida de Oliveira 2021-09-06 14:12:07 UTC
Fixes are available for both SOC 8 and SOC 9. Back to Security team.
Comment 9 Swamp Workflow Management 2022-05-04 13:17:12 UTC
SUSE-SU-2022:1515-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1188527,1191681,1196222
CVE References: CVE-2021-29509,CVE-2021-41136,CVE-2022-23634
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    rubygem-puma-4.3.11-150000.3.6.2
openSUSE Leap 15.3 (src):    rubygem-puma-4.3.11-150000.3.6.2
SUSE Linux Enterprise High Availability 15-SP4 (src):    rubygem-puma-4.3.11-150000.3.6.2
SUSE Linux Enterprise High Availability 15-SP3 (src):    rubygem-puma-4.3.11-150000.3.6.2
SUSE Linux Enterprise High Availability 15-SP2 (src):    rubygem-puma-4.3.11-150000.3.6.2
SUSE Linux Enterprise High Availability 15-SP1 (src):    rubygem-puma-4.3.11-150000.3.6.2
SUSE Linux Enterprise High Availability 15 (src):    rubygem-puma-4.3.11-150000.3.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.