CVE-2021-21294

Name of the Vulnerable Software and Affected Versions: http4s versions prior to 0.21.17 http4s versions prior to 0.22.0-M2 http4s versions prior to 1.0.0-M14

Description: The issue is related to the blaze-core library, which accepts connections unboundedly on its selector pool. This can lead to a denial-of-service, as incoming connections are still accepted and added to an unbounded queue, draining scarce OS resources. The MaxActiveRequests middleware mechanism in http4s only limits the number of connections that can be simultaneously processed, not the number of connections that can be held open.

The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Technical details about exploitation include the fact that each connection allocates a socket handle, which can confound higher level circuit breakers that work based on detecting failed connections.

Recommendations: For versions prior to 0.21.17, consider using an Nginx side-car as a reverse proxy to apply connection limiting semantics before sockets reach blaze-core. For versions prior to 0.22.0-M2, consider using an Nginx side-car as a reverse proxy to apply connection limiting semantics before sockets reach blaze-core. For versions prior to 1.0.0-M14, consider using an Nginx side-car as a reverse proxy to apply connection limiting semantics before sockets reach blaze-core. Alternatively, consider using http4s-ember-server, http4s-jetty, or http4s-tomcat as alternatives to http4s-blaze-server, but note that they may have performance differences and limited feature support. As a temporary workaround, consider setting the maxConnections property to a positive value to limit the number of concurrent connections.