CVE-2023-43622
Apache HTTP Server: DoS in HTTP/2 with initial windows size 0
Description
An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
How to fix CVE-2023-43622
To remediate CVE-2023-43622, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.58-r0 or later
- —upgrade to 2.4.58 or later
- —upgrade to 2.4.59-1~deb11u1 or later
Is CVE-2023-43622 being exploited?
Likely — EPSS is 59.5%, placing CVE-2023-43622 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (3)
- from 0, < 2.4.58-r0
- >= 2.4.55, < 2.4.58
- from 0, < 2.4.59-1~deb11u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |