Apache HTTP Server: DoS in HTTP/2 with initial windows size 0
CVE-2023-43622

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache HTTP Server
Vendor: CVE Published:; 23 October 2023

Summary

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.

This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.

Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Affected Version(s)

Apache HTTP Server 2.4.55 <= 2.4.57

References

https://httpd.apache.org/security/vulnerabilities_24.html

vendor-advisory

https://security.netapp.com/advisory/ntap-20231027-0011/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 23, 2023
Vulnerability Reserved
Sep 20, 2023

Collectors

NVD DatabaseMitre Database

Credit

Prof. Sven Dietrich (City University of New York)

Isa Jafarov (City University of New York)

Prof. Heejo Lee (Korea University)

Choongin Lee (Korea University)