CVE-2023-43622

Apache HTTP Server: DoS in HTTP/2 with initial windows size 0

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern.
This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.

This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.

Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Un atacante, al abrir una conexión HTTP/2 con un tamaño de ventana inicial de 0, pudo bloquear el manejo de esa conexión indefinidamente en el servidor HTTP Apache. Esto podría usarse para agotar los recursos de los trabajadores en el servidor, similar al conocido patrón de ataque "slow loris". Esto se solucionó en la versión 2.4.58, de modo que dicha conexión finalice correctamente después del tiempo de espera de conexión configurado. Este problema afecta al servidor HTTP Apache: desde 2.4.55 hasta 2.4.57. Se recomienda a los usuarios actualizar a la versión 2.4.58, que soluciona el problema.

A flaw was found in the mod_http2 module of httpd. This flaw allows an attacker opening an HTTP/2 connection with an initial window size of 0 to block handling of that connection indefinitely. This vulnerability can exhaust worker resources in the server, similar to the well-known "slow loris" attack pattern.

*Credits: Prof. Sven Dietrich (City University of New York), Isa Jafarov (City University of New York), Prof. Heejo Lee (Korea University), Choongin Lee (Korea University)

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-09-20 CVE Reserved
2023-10-23 CVE Published
2023-11-02 EPSS Updated
2024-05-29 First Exploit
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (5)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20231027-0011	Third Party Advisory

URL	Date	SRC
https://github.com/visudade/CVE-2023-43622	2024-05-29

URL	Date	SRC

URL	Date	SRC
https://httpd.apache.org/security/vulnerabilities_24.html	2023-11-01
https://access.redhat.com/security/cve/CVE-2023-43622	2024-04-30
https://bugzilla.redhat.com/show_bug.cgi?id=2245153	2024-04-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				>= 2.4.55 < 2.4.58 Search vendor "Apache" for product "Http Server" and version " >= 2.4.55 < 2.4.58"		-		Affected