Miggo Logo

CVE-2021-21293: Unbounded connection acceptance leads to file handle exhaustion

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.66253%
Published
2/2/2021
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.http4s:blaze-core_2.11maven< 0.14.150.14.15
org.http4s:blaze-core_2.12maven< 0.14.150.14.15
org.http4s:blaze-core_2.13maven< 0.14.150.14.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Blaze's connection acceptance logic in NIO1SocketServerGroup. The advisory explicitly states the problem occurred in the accept loop where connections were accepted before applying limits. The commit diff shows the fix introduced a maxConnections parameter and semaphore-based throttling in this class. Prior to this, the serverLoop would call ServerSocketChannel.accept() in an unbounded loop without resource limits. The http4s-blaze-server's connection limit was applied after acceptance, making the underlying NIO1SocketServerGroup's acceptance loop the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ll s*rv*rs runnin* *l*z*-*or* <= *.**.**, in*lu*in* *l*z*-*ttp *n* *ttp*s-*l*z*-s*rv*r us*rs, *r* *****t**. *l*z*, ****pts *onn**tions un*on*ition*lly on * ***i**t** t*r*** pool. T*is **s t** n*t *****t o* *mpli*yin* ***r***tion in s*rv

Reasoning

T** vuln*r**ility st*ms *rom *l*z*'s *onn**tion ****pt*n** lo*i* in `NIO*So*k*tS*rv*r*roup`. T** **visory *xpli*itly st*t*s t** pro*l*m o**urr** in t** ****pt loop w**r* *onn**tions w*r* ****pt** ***or* *pplyin* limits. T** *ommit *i** s*ows t** *ix