CVE-2021-21294
📋 TL;DR
CVE-2021-21294 is a denial-of-service vulnerability in http4s-blaze-server where the underlying blaze-core library accepts connections without bounds, allowing attackers to exhaust OS socket resources. This affects http4s services using blaze-server before patched versions, particularly those under high load or without connection limits.
💻 Affected Systems
- http4s-blaze-server
- blaze-core
📦 What is this software?
Http4s by Typelevel
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to OS socket exhaustion, preventing legitimate connections and potentially affecting system stability.
Likely Case
Degraded service performance under connection flood attacks, with increased latency and failed requests as socket resources are consumed.
If Mitigated
Limited impact with proper connection limits, though still vulnerable to connection floods up to the configured maximum.
🎯 Exploit Status
Exploitation requires only the ability to establish TCP connections to the vulnerable service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: http4s 0.21.17, 0.22.0-M2, or 1.0.0-M14
Vendor Advisory: https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w
Restart Required: Yes
Instructions:
1. Update http4s dependency to patched version. 2. Configure maxConnections property in BlazeServerBuilder. 3. Restart the service.
🔧 Temporary Workarounds
Configure MaxActiveRequests Middleware
allLimit simultaneous request processing, though this doesn't prevent socket allocation.
// Scala code: .withMaxActiveRequests(limit)
Use External Load Balancer
linuxDeploy reverse proxy or load balancer with connection limiting capabilities.
// Configure nginx: limit_conn_zone $binary_remote_addr zone=addr:10m;
// Configure nginx: limit_conn addr 100;
🧯 If You Can't Patch
- Deploy network-level rate limiting or connection limiting using firewalls or load balancers.
- Monitor socket usage and implement alerting for abnormal connection patterns.
🔍 How to Verify
Check if Vulnerable:
Check build.sbt or project dependencies for http4s-blaze-server version < 0.21.17, or check if maxConnections is not configured in BlazeServerBuilder.Check Version:
sbt 'show http4s-blaze-server/version' or check build configuration files.Verify Fix Applied:
Verify http4s version is >= 0.21.17 and maxConnections is set in configuration, then test with connection flood to ensure limits are enforced.📡 Detection & Monitoring
Log Indicators:
- High connection counts in server logs
- Socket allocation errors
- Increased connection timeouts
Network Indicators:
- Abnormally high TCP connection rates to service port
- SYN flood patterns
SIEM Query:
source="http4s-logs" AND ("connection refused" OR "too many open files")🔗 References
- https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc
- https://github.com/http4s/http4s/commit/987d6589ef79545b9bb2324ac4bdebf82d9a0171
- https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w
- https://github.com/http4s/blaze/security/advisories/GHSA-xmw9-q7x9-j5qc
- https://github.com/http4s/http4s/commit/987d6589ef79545b9bb2324ac4bdebf82d9a0171
- https://github.com/http4s/http4s/security/advisories/GHSA-xhv5-w9c5-2r2w
