CVE-2021-29509 Overview
CVE-2021-29509 is a Denial of Service (DoS) vulnerability affecting Puma, a concurrent HTTP 1.1 server for Ruby/Rack applications. This vulnerability represents an incomplete fix for the earlier CVE-2019-16770, which addressed connection starvation attacks. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, the incomplete remediation left a critical gap: new connections could still be starved by greedy persistent-connections saturating all threads across all processes in the cluster.
Critical Impact
A Puma server receiving more concurrent keep-alive connections than available threads in its threadpool will only service a subset of connections, effectively denying service to legitimate clients attempting to connect.
Affected Products
- Puma versions prior to 4.3.8
- Puma versions 5.x prior to 5.3.1
- Debian Linux 10.0
Discovery Timeline
- 2021-05-11 - CVE-2021-29509 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-29509
Vulnerability Analysis
This vulnerability stems from an incomplete fix for CVE-2019-16770, which was intended to prevent connection starvation attacks. The original mitigation successfully prevented existing accepted connections from being starved by greedy persistent-connections that saturated all threads within the same process. However, the fix failed to account for a broader attack surface: new incoming connections remained vulnerable to starvation when persistent-connections saturated all threads across all processes in a clustered Puma deployment.
The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-667 (Improper Locking), reflecting the resource exhaustion nature of the attack and the underlying synchronization issues in connection handling.
Root Cause
The root cause lies in Puma's thread pool management and connection handling logic. When an attacker establishes multiple persistent keep-alive connections equal to or exceeding the total number of threads available in the server's threadpool, these connections consume all available worker threads. The server's queue mechanism for new connections becomes ineffective because no threads are available to service queued requests, resulting in new legitimate connection attempts being indefinitely delayed or dropped.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication or user interaction. An attacker initiates multiple concurrent HTTP connections with keep-alive headers, maintaining these connections in an active state. By keeping these connections open and periodically sending minimal traffic to prevent timeout, the attacker can monopolize the server's thread resources.
The attack is particularly effective against Puma servers operating without a reverse proxy (such as nginx or Apache), as these intermediary servers typically implement their own connection limiting and request queuing mechanisms that can mitigate such attacks.
The exploitation pattern involves:
- Opening multiple persistent HTTP connections to the target Puma server
- Sending requests with Connection: keep-alive headers
- Maintaining connections by periodically sending minimal data
- Exhausting the server's threadpool capacity across all processes
Detection Methods for CVE-2021-29509
Indicators of Compromise
- Sudden increase in active connections that remain open for extended periods
- Thread pool exhaustion metrics showing all workers in busy state
- Legitimate user complaints about connection timeouts or refused connections
- Network monitoring showing multiple long-lived connections from a small number of source IPs
Detection Strategies
- Monitor Puma server metrics for thread pool utilization approaching 100%
- Implement connection tracking to identify sources maintaining unusually high numbers of concurrent connections
- Set up alerting on sudden drops in successful request completion rates
- Review server logs for patterns of connection establishment without corresponding request completion
Monitoring Recommendations
- Deploy application performance monitoring (APM) solutions to track thread utilization and connection states
- Configure network-level monitoring to detect anomalous connection patterns characteristic of DoS attacks
- Establish baseline metrics for normal connection behavior and alert on significant deviations
- Implement real-time dashboards showing active connections, thread availability, and request queue depth
How to Mitigate CVE-2021-29509
Immediate Actions Required
- Upgrade Puma to version 4.3.8 or later for the 4.x branch
- Upgrade Puma to version 5.3.1 or later for the 5.x branch
- Deploy a reverse proxy (nginx or Apache) in front of Puma servers to provide connection management
- Review and harden connection timeout configurations
Patch Information
The Puma development team has released patched versions that fully address this vulnerability. Organizations should upgrade to Puma 4.3.8 or 5.3.1 or later versions. For detailed patch information and upgrade guidance, refer to the GitHub Security Advisory. A git patch is also available for organizations using unsupported Puma versions at the Puma Patch Gist.
Workarounds
- Set queue_requests false in Puma configuration (note: this is not recommended when running Puma without a reverse proxy as it exposes the server to slow client attacks such as slowloris)
- Deploy nginx or Apache as a reverse proxy to handle connection management and provide rate limiting
- Implement network-level rate limiting to restrict the number of concurrent connections from individual IP addresses
- Consider deploying a Web Application Firewall (WAF) with DoS protection capabilities
# Configuration example - Puma configuration workaround
# Add to config/puma.rb
queue_requests false
# Note: Only use this workaround if Puma is behind a reverse proxy
# such as nginx or Apache. Running Puma directly with this setting
# exposes the server to slow client attacks (e.g., slowloris).
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
