Vulnerability Description
An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | >= 2.4.55, < 2.4.58 |
Related Weaknesses (CWE)
References
- https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
- https://security.netapp.com/advisory/ntap-20231027-0011/Third Party Advisory
- https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
- https://security.netapp.com/advisory/ntap-20231027-0011/Third Party Advisory
FAQ
What is CVE-2023-43622?
CVE-2023-43622 is a vulnerability with a CVSS score of 7.5 (HIGH). An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resour...
How severe is CVE-2023-43622?
CVE-2023-43622 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-43622?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server.