{
  "threat_severity" : "Moderate",
  "public_date" : "2019-12-05T00:00:00Z",
  "bugzilla" : {
    "description" : "rubygem-puma: keepalive requests from poorly-behaved client leads to denial of service",
    "id" : "1831297",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1831297"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-770",
  "details" : [ "In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.", "A flaw was found in rubygem-puma. A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough." ],
  "statement" : "Red Hat CloudForms uses affected RubyGem Puma, however, not vulnerable since after increasing multiple keepalive connections compare to threads available; additional connections have not waited long.\nRed Hat Gluster Storage Web Administration component uses affected RubyGem Puma.",
  "package_state" : [ {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Will not fix",
    "package_name" : "rubygem-puma",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "rubygem-puma",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "rh-ror50-rubygem-puma",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "rubygem-puma",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-16770\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-16770\nhttps://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994" ],
  "name" : "CVE-2019-16770",
  "mitigation" : {
    "value" : "Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.",
    "lang" : "en:us"
  },
  "csaw" : false
}