First published: Fri Oct 13 2023(Updated: )
The initial Rapid-Reset fix for mod_http2 was not sufficient to mitigate reset attacks completely; there is still a potential resource leak. If reset requests are sent on a connection below the rate limit imposed by nghttp2, memory is still consumed per RST and persists until the connection is broken. This "slow drip" of <1000 RST per second is sufficient to disable a single connection.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache HTTP server | <2.4.58 | |
Fedoraproject Fedora | =38 | |
ubuntu/apache2 | <2.4.41-4ubuntu3.15 | 2.4.41-4ubuntu3.15 |
ubuntu/apache2 | <2.4.52-1ubuntu4.7 | 2.4.52-1ubuntu4.7 |
ubuntu/apache2 | <2.4.55-1ubuntu2.1 | 2.4.55-1ubuntu2.1 |
ubuntu/apache2 | <2.4.57-2ubuntu2.1 | 2.4.57-2ubuntu2.1 |
ubuntu/apache2 | <2.4.58-1 | 2.4.58-1 |
debian/apache2 | <=2.4.38-3+deb10u8<=2.4.38-3+deb10u10<=2.4.56-1~deb11u2<=2.4.57-2 | 2.4.59-1~deb11u1 2.4.59-1~deb12u1 2.4.58-1 2.4.59-1 |
>=2.4.17<2.4.58 | ||
=37 | ||
=38 | ||
=39 | ||
=10.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-45802 is medium with a severity value of 5.9.
The affected software for CVE-2023-45802 is Apache HTTP server version up to exclusive 2.4.58 and Fedora version 38.
To fix CVE-2023-45802, update your Apache HTTP server to a version higher than 2.4.58 or apply relevant security patches for Fedora version 38.
The Common Weakness Enumeration (CWE) for CVE-2023-45802 is CWE-400.
More information about CVE-2023-45802 can be found at the following references: [link1](https://httpd.apache.org/security/vulnerabilities_24.html), [link2](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/), [link3](https://security.netapp.com/advisory/ntap-20231027-0011/).