PT-2023-6452 · Apache+7 · Apache Http Server+7

Choongin Lee

Published

2023-10-19

Updated

2025-05-15

CVE-2023-43622

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.55 through 2.4.57

Description The issue is related to a HTTP/2 connection with an initial window size of 0, which can block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. The connection can be terminated properly after the configured connection timeout in version 2.4.58.

Recommendations Apache HTTP Server versions 2.4.55 through 2.4.57: Upgrade to version 2.4.58, which fixes the issue. As a temporary workaround, consider configuring the connection timeout to a lower value to minimize the risk of exploitation.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2024:2368

ALT-PU-2023-6831

ALT-PU-2023-7243

ALT-PU-2024-1938

AZL-31610

AZL-43639

AZL-44955

BDU:2023-07171

BIT-APACHE-2023-43622

CVE-2023-43622

DSA-5662-1

INFSA-2024_2368

MGASA-2023-0304

OPENSUSE-SU-2024:13350-1

RHSA-2024:2368

RHSA-2024_2368

USN-6506-1

Affected Products

Alt Linux

Almalinux

Apache Http Server

Astra Linux

Linuxmint

Red Hat

Red Os

Ubuntu

PT-2023-6452 · Apache+7 · Apache Http Server+7

CVE-2023-43622

Weakness Enumeration

Related Identifiers

Affected Products

References · 61