nvd-json-data-feeds/CVE-2021/CVE-2021-212xx/CVE-2021-21293.json

{
  "id": "CVE-2021-21293",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2021-02-02T22:15:12.290",
  "lastModified": "2022-10-25T12:56:03.883",
  "vulnStatus": "Analyzed",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "blaze is a Scala library for building asynchronous pipelines, with a focus on network IO. All servers running blaze-core before version 0.14.15 are affected by a vulnerability in which unbounded connection acceptance leads to file handle exhaustion. Blaze, accepts connections unconditionally on a dedicated thread pool. This has the net effect of amplifying degradation in services that are unable to handle their current request load, since incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. The vast majority of affected users are using it as part of http4s-blaze-server <= 0.21.16. http4s provides a mechanism for limiting open connections, but is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened. Thus, the limit only prevents the number of connections which can be simultaneously processed, not the number of connections which can be held open. The issue is fixed in version 0.14.15 for \"NIO1SocketServerGroup\". A \"maxConnections\" parameter is added, with a default value of 512. Concurrent connections beyond this limit are rejected. To run unbounded, which is not recommended, set a negative number. The \"NIO2SocketServerGroup\" has no such setting and is now deprecated. There are several possible workarounds described in the refrenced GitHub Advisory GHSA-xmw9-q7x9-j5qc."
    },
    {
      "lang": "es",
      "value": "blaze es una biblioteca de Scala para construir pipelines asincr\u00f3nicos, con un enfoque en la E/S de red.&#xa0;Todos los servidores que ejecutan blaze-core anterior a versi\u00f3n 0.14.15 est\u00e1n afectados por una vulnerabilidad en la que la aceptaci\u00f3n de una conexi\u00f3n ilimitada conduce al agotamiento del control de archivos.&#xa0;Blaze, acepta conexiones incondicionalmente en un grupo de subprocesos dedicado.&#xa0;Esto tiene el efecto neto de amplificar la degradaci\u00f3n en los servicios que no pueden manejar su carga de peticiones actual, ya que las conexiones entrantes a\u00fan se aceptan y agregan a una cola ilimitada.&#xa0;Cada conexi\u00f3n asigna un identificador de socket, lo que agota un recurso escaso del sistema operativo.&#xa0;Esto tambi\u00e9n puede confundir a los disyuntores de nivel superior que funcionan bas\u00e1ndose en la detecci\u00f3n de conexiones en fallo.&#xa0;La gran mayor\u00eda de los usuarios afectados lo utilizan como parte de http4s-blaze-server versiones anteriores a 0.21.16 e incluy\u00e9ndola.&#xa0;http4s proporciona un mecanismo para limitar las conexiones abiertas,&#xa0;pero se aplica dentro del bucle de aceptaci\u00f3n de Blaze, despu\u00e9s de que se acepta la conexi\u00f3n y se abre el socket.&#xa0;Por lo tanto, el l\u00edmite solo evita el n\u00famero de conexiones que se pueden procesar simult\u00e1neamente, no el n\u00famero de conexiones que se pueden mantener abiertas.&#xa0;El problema se solucion\u00f3 en la versi\u00f3n 0.14.15 para \"NIO1SocketServerGroup\".&#xa0;Se agrega un par\u00e1metro \"maxConnections\", con un valor predeterminado de 512. Se rechazan las conexiones simult\u00e1neas m\u00e1s all\u00e1 de este l\u00edmite.&#xa0;Para ejecutar sin l\u00edmites, lo cual no se recomienda, establezca un n\u00famero negativo.&#xa0;El \"NIO2SocketServerGroup\" no tiene tal configuraci\u00f3n y ahora est\u00e1 obsoleto.&#xa0;Existen varias posibles soluciones que se describen en el Aviso de GitHub referenciado GHSA-xmw9-q7x9-j5qc"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6
      },
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "accessVector": "NETWORK",
          "accessComplexity": "LOW",
          "authentication": "NONE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ]
    },
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:typelevel:blaze:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "0.14.15",
              "matchCriteriaId": "AE06DFF4-7550-4AC9-8645-72D090B9BFEE"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/http4s/blaze/commit/4f786177f9fb71ab272f3a5f6c80bca3e5662aa1",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    }
  ]
}