PT-2023-6452 · Apache+7 · Apache Http Server+7

Choongin Lee

+3

·

Publicado

2023-10-19

·

Atualizado

2025-05-15

·

CVE-2023-43622

CVSS v2.0

7.8

Alta

VetorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.55 through 2.4.57
Description The issue is related to a HTTP/2 connection with an initial window size of 0, which can block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. The connection can be terminated properly after the configured connection timeout in version 2.4.58.
Recommendations Apache HTTP Server versions 2.4.55 through 2.4.57: Upgrade to version 2.4.58, which fixes the issue. As a temporary workaround, consider configuring the connection timeout to a lower value to minimize the risk of exploitation.

Exploit

Correção

Resource Exhaustion

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-400

Identificadores relacionados

ALSA-2024:2368
ALT-PU-2023-6831
ALT-PU-2023-7243
ALT-PU-2024-1938
AZL-31610
AZL-43639
AZL-44955
BDU:2023-07171
BIT-APACHE-2023-43622
CVE-2023-43622
DSA-5662-1
INFSA-2024_2368
MGASA-2023-0304
OPENSUSE-SU-2024:13350-1
RHSA-2024:2368
RHSA-2024_2368
USN-6506-1

Produtos afetados

Alt Linux
Almalinux
Apache Http Server
Astra Linux
Linuxmint
Red Hat
Red Os
Ubuntu