Skip to content

Unbounded connection acceptance leads to file handle exhaustion

High severity GitHub Reviewed Published Feb 2, 2021 in http4s/blaze • Updated Jan 29, 2023

Package

maven org.http4s:blaze-core_2.11 (Maven)

Affected versions

< 0.14.15

Patched versions

0.14.15
maven org.http4s:blaze-core_2.12 (Maven)
< 0.14.15
0.14.15
maven org.http4s:blaze-core_2.13 (Maven)
< 0.14.15
0.14.15

Description

Impact

All servers running blaze-core <= 0.14.14, including blaze-http and http4s-blaze-server users, are affected.

Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections.

The vast majority of affected users are using it as part of http4s-blaze-server <= 0.21.16. http4s provides a mechanism for limiting open connections, but is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open.

Patches

The issue is fixed in version 0.14.15 for NIO1SocketServerGroup. A maxConnections parameter is added, with a default value of 512. Concurrent connections beyond this limit are rejected. To run unbounded, which is not recommended, set a negative number.

The NIO2SocketServerGroup has no such setting and is now deprecated.

Workarounds

  • An Nginx side-car acting as a reverse proxy for the local http4s-blaze-server instance would be able to apply a connection limiting semantic before the sockets reach blaze-core. Nginx’s connection bounding is both asynchronous and properly respects backpressure.
  • A similar sidecar strategy is viable for other non-HTTP services running on blaze-core.
  • http4s-ember-server is an alternative to http4s-blaze-server, but does not yet have HTTP/2 or web socket support. Its performance in terms of RPS is appreciably behind Blaze’s, and as the newest backend, has substantially less industrial uptake.
  • http4s-jetty is an alternative to http4s-blaze-server, but does not yet have web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.
  • http4s-tomcat is an alternative to http4s-blaze-server, but does not yet have HTTP/2 web socket support. Its performance in terms of requests per second is somewhat behind Blaze’s, and despite Jetty's industrial adoption, the http4s integration has substantially less industrial uptake.

For more information

If you have any questions or comments about this advisory:

References

@rossabaker rossabaker published to http4s/blaze Feb 2, 2021
Reviewed Feb 2, 2021
Published to the GitHub Advisory Database Feb 2, 2021
Published by the National Vulnerability Database Feb 2, 2021
Last updated Jan 29, 2023

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS score

0.196%
(57th percentile)

CVE ID

CVE-2021-21293

GHSA ID

GHSA-xmw9-q7x9-j5qc

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.