PT-2023-6292 · Apache+10 · Apache Http Server+10
David Warren
+1
·
Published
2023-10-12
·
Updated
2026-01-14
·
CVE-2023-45802
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
Apache HTTP Server versions prior to 2.4.58
Description
The issue is related to the handling of HTTP/2 streams in the Apache HTTP Server. When a client resets an HTTP/2 stream using an RST frame, there is a time window where the request's memory resources are not immediately reclaimed. Instead, de-allocation is deferred until the connection is closed. A client can exploit this by sending new requests and resets, keeping the connection busy and open, and causing the memory footprint to grow. This can lead to a denial-of-service condition if the process runs out of memory before the connection is closed.
Recommendations
To resolve the issue, upgrade to version 2.4.58 or later, which fixes the problem. As a temporary workaround, consider restricting the use of HTTP/2 streams or limiting the number of concurrent connections to minimize the risk of exploitation.
Exploit
Fix
RCE
Improper Resource Release
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Apache Http Server
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu