Bug 1216425 (CVE-2023-43622)

Summary: VUL-0: CVE-2023-43622: apache2: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: david.anes, gabriele.sonnu, rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382447/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-43622:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-19 15:54:29 UTC 
Severity: low

Affected versions:

- Apache HTTP Server 2.4.55 through 2.4.57

Description:

An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern.
This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.

This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.

Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Credit:

Prof. Sven Dietrich (City University of New York) (finder)
Isa Jafarov (City University of New York) (finder)
Prof. Heejo Lee (Korea University) (finder)
Choongin Lee (Korea University) (finder)

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-43622

Timeline:

2023-09-15: reported
Comment 1 Gabriele Sonnu 2023-10-20 07:34:41 UTC 
Based on the above advisory, tracking as affected:

- SUSE:ALP:Source:Standard:1.0/apache2  2.4.57
- openSUSE:Factory/apache2              2.4.57
Comment 3 David Anes 2023-10-27 08:19:39 UTC 
Fixed here: https://build.opensuse.org/request/show/1118995

Sending back to security for review.
Comment 4 Robert Frohl 2024-06-07 15:14:26 UTC 
done, closing