7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21294

GHSA ID

GHSA-xhv5-w9c5-2r2w

EPSS Score

0.66369%

CWE

CWE-400

Published

2/2/2021

Updated

1/29/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21294

CVE-2021-21294: Unbounded connection acceptance in http4s-blaze-server

Impact

blaze-core, a library underlying http4s-blaze-server, accepts connections unboundedly on its selector pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections.

http4s provides a general MaxActiveRequests middleware mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open.

Patches

In 0.21.18, 0.22.0-M3, and 1.0.0-M16, a newmaxConnections property, with a default value of 1024, has been added to the BlazeServerBuilder. Setting the value to a negative number restores unbounded behavior, but is strongly disrecommended.

The NIO2 backend does not respect maxConnections. Its use is now deprecated in http4s-0.21, and the option is removed altogether starting in http4s-0.22.

The connections are bounded in 0.21.17, 0.22.0-M2, and 1.0.0-M14, but the maxConnections parameter was passed incorrectly, making it impossible to change the Blaze default of 512.

Workarounds

An Nginx side-car acting as a reverse proxy for the local http4s-blaze-server instance would be able to apply a connection limiting semantic before the sockets reach blaze-core. Nginx’s connection bounding is both asynchronous and properly respects backpressure.
http4s-ember-server is an alternative to http4s-blaze-server, but does not yet have HTTP/2 or web socket support. Its performance in terms of RPS is appreciably behind Blaze’s, and as the newest backend, has substantially less industrial uptake.
http4s-jetty is an alternative to http4s-blaze-server, but does not yet have web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.
http4s-tomcat is an alternative to http4s-blaze-server, but does not yet have HTTP/2 web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.

References

See the Blaze GHSA for more on the underlying issue.

For more information

If you have any questions or comments about this advisory:

Open an issue in http4s/http4s
Contact us according to the http4s security policy

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21294

GHSA ID

GHSA-xhv5-w9c5-2r2w

EPSS Score

0.66369%

CWE

CWE-400

Published

2/2/2021

Updated

1/29/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.http4s:http4s-blaze-server_2.12	maven	< 0.21.17	0.21.17
org.http4s:http4s-blaze-server_2.13	maven	< 0.21.17	0.21.17

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key points: 1) The NIO1SocketServerGroup.fixedGroup method (pre-patch) created connection pools without enforcing maxConnections, as shown in the commit diff where it was replaced with a .fixed() method that includes this parameter. 2) The BlazeServerBuilder's constructor didn't propagate a connection limit to the server group initialization logic before the patch. The combination of these factors allowed unbounded connection queuing. The high confidence comes from explicit evidence in the patch (added maxConnections parameter in BlazeServerBuilder and server group initialization changes) and the vulnerability description's focus on missing connection bounding at the acceptance layer.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *l*z*-*or*, * li*r*ry un**rlyin* *ttp*s-*l*z*-s*rv*r, ****pts *onn**tions un*oun***ly on its s*l**tor pool. T*is **s t** n*t *****t o* *mpli*yin* ***r***tion in s*rvi**s t**t *r* un**l* to **n*l* t**ir *urr*nt r*qu*st lo**, sin** in*omin*

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** `NIO*So*k*tS*rv*r*roup.*ix***roup` m*t*o* (pr*-p*t**) *r**t** *onn**tion pools wit*out *n*or*in* `m*x*onn**tions`, *s s*own in t** *ommit *i** w**r* it w*s r*pl**** wit* * `.*ix**()` m*t*o* t**t in*

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-21294: Unbounded connection acceptance in http4s-blaze-server

Impact

Patches

Workarounds

References

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI