mod_gnutls contains Infinite Loop on request read timeout
CVE-2023-25824

7.5HIGH

Key Information:

Vendor

Airtower-luna

Status
Mod Gnutls
Vendor
CVE Published:
23 February 2023

What is CVE-2023-25824?

A vulnerability in the Mod_GnuTLS module for Apache HTTPD allows an attacker to exploit a flaw in blocking read operations over TLS connections. When timeouts occur, the module inadvertently enters an infinite loop, leading to excessive CPU usage and potential denial of service. Additionally, trace-level logging could produce an overwhelming amount of log data, possibly exhausting disk space. Users are urged to upgrade to version 0.12.1 to mitigate this issue, or alternatively, implement the errno fix as specified in the security advisory. No workarounds exist for those unable to perform updates.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

mod_gnutls >= 0.9.0, < 0.12.1

References

https://github.com/airtower-luna/mod_gnutls/security/advi...
x_refsource_CONFIRM
https://github.com/airtower-luna/mod_gnutls/commit/d7eec4...
x_refsource_MISC
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942737#25
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.