7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
27.4%
An attacker, opening a HTTP/2 connection with an initial window size of 0,
was able to block handling of that connection indefinitely in Apache HTTP
Server. This could be used to exhaust worker resources in the server,
similar to the well known “slow loris” attack pattern. This has been fixed
in version 2.4.58, so that such connection are terminated properly after
the configured connection timeout. This issue affects Apache HTTP Server:
from 2.4.55 through 2.4.57. Users are recommended to upgrade to version
2.4.58, which fixes the issue.
Author | Note |
---|---|
Priority reason: Apache developers consider this to be a low-impact issue | |
mdeslaur | backporting this to jammy and earlier will likely require backporting the whole 2.0.10 version of the http/2 module as it refactors how connections and streams are handled: https://github.com/apache/httpd/commit/9767274b884a110e9244f59f50bd31ff1cae2933 |
httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-43622
launchpad.net/bugs/cve/CVE-2023-43622
nvd.nist.gov/vuln/detail/CVE-2023-43622
security-tracker.debian.org/tracker/CVE-2023-43622
ubuntu.com/security/notices/USN-6506-1
www.cve.org/CVERecord?id=CVE-2023-43622
www.openwall.com/lists/oss-security/2023/10/19/5