CVE-2023-43622

NameCVE-2023-43622
DescriptionAn attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5662-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apache2 (PTS)buster2.4.38-3+deb10u8fixed
buster (security)2.4.38-3+deb10u10fixed
bullseye2.4.56-1~deb11u2vulnerable
bullseye (security)2.4.59-1~deb11u1fixed
bookworm2.4.57-2vulnerable
bookworm (security)2.4.59-1~deb12u1fixed
trixie2.4.58-1fixed
sid2.4.59-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
apache2sourcebuster(not affected)
apache2sourcebullseye2.4.59-1~deb11u1DSA-5662-1
apache2sourcebookworm2.4.59-1~deb12u1DSA-5662-1
apache2source(unstable)2.4.58-1

Notes

[buster] - apache2 <not-affected> (Vulnerable code introduced later)
https://www.openwall.com/lists/oss-security/2023/10/19/5
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-43622
Search for package or bug name: Reporting problems