CVE-2023-43622

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://httpd.apache.org/security/vulnerabilities_24.html	Vendor Advisory
https://security.netapp.com/advisory/ntap-20231027-0011/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

History

01 Nov 2023, 18:11

Type	Values Removed	Values Added
First Time		Apache http Server Apache
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:apache:http_server::::::::
References	~~(MISC) https://security.netapp.com/advisory/ntap-20231027-0011/ -~~	(MISC) https://security.netapp.com/advisory/ntap-20231027-0011/ - Third Party Advisory
References	~~(MISC) https://httpd.apache.org/security/vulnerabilities_24.html -~~	(MISC) https://httpd.apache.org/security/vulnerabilities_24.html - Vendor Advisory

27 Oct 2023, 15:15

Type	Values Removed	Values Added
References		(MISC) https://security.netapp.com/advisory/ntap-20231027-0011/ -

23 Oct 2023, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-23 07:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-43622

Mitre link : CVE-2023-43622

CVE.ORG link : CVE-2023-43622

JSON object : View

Products Affected

apache

http_server

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2023-43622", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-23T07:15:11.243", "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://security.netapp.com/advisory/ntap-20231027-0011/", "tags": ["Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n\n"}, {"lang": "es", "value": "Un atacante, al abrir una conexi\u00f3n HTTP/2 con un tama\u00f1o de ventana inicial de 0, pudo bloquear el manejo de esa conexi\u00f3n indefinidamente en el servidor HTTP Apache. Esto podr\u00eda usarse para agotar los recursos de los trabajadores en el servidor, similar al conocido patr\u00f3n de ataque \"slow loris\". Esto se solucion\u00f3 en la versi\u00f3n 2.4.58, de modo que dicha conexi\u00f3n finalice correctamente despu\u00e9s del tiempo de espera de conexi\u00f3n configurado. Este problema afecta al servidor HTTP Apache: desde 2.4.55 hasta 2.4.57. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.4.58, que soluciona el problema."}], "lastModified": "2023-11-01T18:11:02.370", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F9F28355-B47B-463B-862A-E493D0743CC9", "versionEndExcluding": "2.4.58", "versionStartIncluding": "2.4.55"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}