Apache · Apache Http Server · CVE-2023-43622
**Name of the Vulnerable Software and Affected Versions**
Apache HTTP Server versions 2.4.55 through 2.4.57
**Description**
The issue is related to a HTTP/2 connection with an initial window size of 0, which can block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. The connection can be terminated properly after the configured connection timeout in version 2.4.58.
**Recommendations**
Apache HTTP Server versions 2.4.55 through 2.4.57: Upgrade to version 2.4.58, which fixes the issue.
As a temporary workaround, consider configuring the connection timeout to a lower value to minimize the risk of exploitation.