Noam Mazor

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.17 through 2.4.18 **Description** The issue is related to resource management errors in the Apache HTTP Server. It allows a remote attacker to cause a denial of service by modifying flow-control windows, leading to a stream-processing outage. This is achieved by manipulating the flow control windows on streams, which can block server threads for extended periods, causing starvation of worker threads. Although new connections can still be opened, no streams are processed for these connections. **Recommendations** For Apache HTTP Server versions 2.4.17 and 2.4.18, consider disabling the mod http2 module as a temporary workaround to prevent exploitation until a patch is available. Restrict access to HTTP/2 connections to minimize the risk of denial of service attacks.

Name of the Vulnerable Software and Affected Versions: nghttp2 versions prior to 1.7.1 Description: The issue allows remote attackers to cause a denial of service, resulting in memory exhaustion. Recommendations: For versions prior to 1.7.1, update to version 1.7.1 or later to resolve the issue.