CVE-2023-43622 - OpenCVE

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Http Server

Configuration 1 [-]

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

References

Link	Resource
https://httpd.apache.org/security/vulnerabilities_24.html	Vendor Advisory
https://security.netapp.com/advisory/ntap-20231027-0011/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2023-10-23T06:50:51.555Z

Updated: 2023-10-23T06:50:51.555Z

Reserved: 2023-09-20T07:45:21.299Z

Link: CVE-2023-43622

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-23T07:15:11.243

Modified: 2023-11-01T18:11:02.370

Link: CVE-2023-43622

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-43622", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-09-20T07:45:21.299Z", "datePublished": "2023-10-23T06:50:51.555Z", "dateUpdated": "2023-10-23T06:50:51.555Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.57", "status": "affected", "version": "2.4.55", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Prof. Sven Dietrich (City University of New York)"}, {"lang": "en", "type": "finder", "value": "Isa Jafarov (City University of New York)"}, {"lang": "en", "type": "finder", "value": "Prof. Heejo Lee (Korea University)"}, {"lang": "en", "type": "finder", "value": "Choongin Lee (Korea University)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.<br><p>This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.</p><p>This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.</p><p>Users are recommended to upgrade to version 2.4.58, which fixes the issue.</p>"}], "value": "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n\n"}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-10-23T06:50:51.555Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://security.netapp.com/advisory/ntap-20231027-0011/"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2023-09-15T09:51:00.000Z", "value": "reported"}], "title": "Apache HTTP Server: DoS in HTTP/2 with initial windows size 0", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F9F28355-B47B-463B-862A-E493D0743CC9", "versionEndExcluding": "2.4.58", "versionStartIncluding": "2.4.55", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n\n"}, {"lang": "es", "value": "Un atacante, al abrir una conexi\u00f3n HTTP/2 con un tama\u00f1o de ventana inicial de 0, pudo bloquear el manejo de esa conexi\u00f3n indefinidamente en el servidor HTTP Apache. Esto podr\u00eda usarse para agotar los recursos de los trabajadores en el servidor, similar al conocido patr\u00f3n de ataque \"slow loris\". Esto se solucion\u00f3 en la versi\u00f3n 2.4.58, de modo que dicha conexi\u00f3n finalice correctamente despu\u00e9s del tiempo de espera de conexi\u00f3n configurado. Este problema afecta al servidor HTTP Apache: desde 2.4.55 hasta 2.4.57. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.4.58, que soluciona el problema."}], "id": "CVE-2023-43622", "lastModified": "2023-11-01T18:11:02.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-23T07:15:11.243", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231027-0011/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@apache.org", "type": "Primary"}]}