CVE-2021-21293

Name of the Vulnerable Software and Affected Versions: blaze-core versions prior to 0.14.15 http4s-blaze-server versions prior to 0.21.17

Description: The issue is caused by unbounded connection acceptance in blaze-core, leading to file handle exhaustion. This can amplify degradation in services that are unable to handle their current request load, as incoming connections are still accepted and added to an unbounded queue. Each connection allocates a socket handle, which drains a scarce OS resource. This can also confound higher level circuit breakers which work based on detecting failed connections. The vast majority of affected users are using it as part of http4s-blaze-server. http4s provides a mechanism for limiting open connections, but it is enforced inside the Blaze accept loop, after the connection is accepted and the socket opened.

Recommendations: For blaze-core versions prior to 0.14.15, update to version 0.14.15 or later, which includes a maxConnections parameter to limit concurrent connections. For http4s-blaze-server versions prior to 0.21.17, consider using an Nginx side-car as a reverse proxy to apply connection limiting semantics before the sockets reach blaze-core, or use alternative servers such as http4s-ember-server, http4s-jetty, or http4s-tomcat. As a temporary workaround, consider setting a negative number for the maxConnections parameter to run unbounded, but this is not recommended.