CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0
First published: Thu Oct 19 2023(Updated: )
An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache HTTP server | >=2.4.55<2.4.58 | |
| ubuntu/apache2 | <2.4.55-1ubuntu2.1 | 2.4.55-1ubuntu2.1 |
| ubuntu/apache2 | <2.4.57-2ubuntu2.1 | 2.4.57-2ubuntu2.1 |
| ubuntu/apache2 | <2.4.58-1 | 2.4.58-1 |
| debian/apache2 | <=2.4.56-1~deb11u2<=2.4.57-2 | 2.4.38-3+deb10u8 2.4.38-3+deb10u10 2.4.59-1~deb11u1 2.4.59-1~deb12u1 2.4.58-1 2.4.59-1 |
| redhat/mod_http2 | <2.0.23 | 2.0.23 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://security.netapp.com/advisory/ntap-20231027-0011/
- https://launchpad.net/bugs/cve/CVE-2023-43622
- https://www.openwall.com/lists/oss-security/2023/10/19/5
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-43622
- https://ubuntu.com/security/notices/USN-6506-1
- https://www.cve.org/CVERecord?id=CVE-2023-43622
- https://nvd.nist.gov/vuln/detail/CVE-2023-43622
- https://security-tracker.debian.org/tracker/CVE-2023-43622
- https://github.com/apache/httpd/commit/582c533c1728459eef5f8ec1a64b81fb093b26a8
- https://ubuntu.com/security/CVE-2023-43622
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2245323
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2245890
- https://access.redhat.com/errata/RHSA-2024:2368
- https://bugzilla.redhat.com/show_bug.cgi?id=2245153
Frequently Asked Questions
What is CVE-2023-43622?
CVE-2023-43622 is a vulnerability in the Apache HTTP Server that allows an attacker to block the handling of a connection indefinitely by opening an HTTP/2 connection with an initial window size of 0.
What is the impact of CVE-2023-43622?
The vulnerability in CVE-2023-43622 can be used to exhaust worker resources in the server, similar to the 'slow loris' attack pattern.
Which versions of Apache HTTP Server are affected by CVE-2023-43622?
Versions of Apache HTTP Server from 2.4.55 to 2.4.58 are affected by CVE-2023-43622.
How can I fix CVE-2023-43622?
The vulnerability has been fixed in version 2.4.59 of Apache HTTP Server. It is recommended to upgrade to this version or a later version.
Where can I find more information about CVE-2023-43622?
You can find more information about CVE-2023-43622 on the Apache HTTP Server website and the NetApp security advisory.
- collector/oss-sec
- alias/CVE-2023-43622
- collector/nvd-api
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/weakness
- agent/remedy
- agent/title
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- agent/event
- agent/severity
- agent/softwarecombine
- agent/description
- agent/references
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.55
- package-manager/ubuntu
- package-manager/debian
- package-manager/redhat