An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.

An update of the httpd package has been released.

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2024-2368 advisory.

    [2.0.26-1]
    - Resolves: RHEL-14691 - mod_http2 rebase to 2.0.26

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:2368 advisory.

    The mod_http2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd     2.4 servers.

    Security Fix(es):

    * httpd: mod_http2: DoS in HTTP/2 with initial window size 0 (CVE-2023-43622)

    * mod_http2: reset requests exhaust memory (incomplete fix of CVE-2023-44487) (CVE-2023-45802)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5662 advisory.

  - Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server:
    through 2.4.57. (CVE-2023-31122)

  - Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators     to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. (CVE-2023-38709)

  - An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of     that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the     server, similar to the well known slow loris attack pattern. This has been fixed in version 2.4.58, so     that such connection are terminated properly after the configured connection timeout. This issue affects     Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which     fixes the issue. (CVE-2023-43622)

  - When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory     resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A     client could send new requests and resets, keeping the connection busy and open and causing the memory     footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run     out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid     Reset Exploit) with their own test client. During normal HTTP/2 use, the probability to hit this bug is     very low. The kept memory would not become noticeable before the connection closes or times out. Users are     recommended to upgrade to version 2.4.58, which fixes the issue. (CVE-2023-45802)

  - HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject     malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are     recommended to upgrade to version 2.4.59, which fixes this issue. (CVE-2024-24795)

  - HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an     informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.
    (CVE-2024-27316)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 05b7180b-e571-11ee-a1c0-0050569f0b83 advisory.

  - An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of     that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the     server, similar to the well known slow loris attack pattern. This has been fixed in version 2.4.58, so     that such connection are terminated properly after the configured connection timeout. This issue affects     Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which     fixes the issue. (CVE-2023-43622)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable SecurityCenter running on the remote host is . It is, therefore, affected by multiple vulnerabilities as referenced in the TNS-2023-44 advisory.

  - Security Center leverages third-party software to help provide underlying functionality. One of the third-     party components (Apache) was found to contain vulnerabilities, and updated versions have been made     available by the providers. Out of caution and in line with best practice, Tenable has opted to upgrade     these components to address the potential impact of the issues. Security Center Patch SC-202312.1 updates     Apache to version 2.4.58 to address the identified vulnerabilities. Tenable has released Security Center     Patch SC-202312.1 to address these issues. The installation files can be obtained from the Tenable     Downloads Portal: https://www.tenable.com/downloads/security-center (CVE-2023-43622, CVE-2023-45802)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6506-1 advisory.

    David Shoon discovered that the Apache HTTP Server mod_macro module incorrectly handled certain memory     operations. A remote attacker could possibly use this issue to cause the server to crash, resulting in a     denial of service. (CVE-2023-31122)

    Prof. Sven Dietrich, Isa Jafarov, Prof. Heejo Lee, and Choongin Lee discovered that the Apache HTTP Server     incorrectly handled certain HTTP/2 connections. A remote attacker could possibly use this issue to cause     the server to consume resources, leading to a denial of service. This issue only affected Ubuntu 23.04,     and Ubuntu 23.10. (CVE-2023-43622)

    Will Dormann and David Warren discovered that the Apache HTTP Server incorrectly handled memory when     handling HTTP/2 connections. A remote attacker could possibly use this issue to cause the server to     consume resources, leading to a denial of service. (CVE-2023-45802)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable Security Center running on the remote host is affected by multiple vulnerabilities as referenced in the TNS-2023-42 advisory.

  - Security Center leverages third-party software to help provide underlying functionality. Several of the     third-party components (Apache, SimpleSAMLphp) were found to contain vulnerabilities, and updated versions     have been made available by the providers.Out of caution and in line with best practice, Tenable has opted     to upgrade these components to address the potential impact of the issues. Security Center 6.2.1 updates     Apache to version 2.4.58 and SimpleSAMLphp to version 2.0.7 to address the identified vulnerabilities.
    Tenable has released Security Center 6.2.1 to address these issues. The installation files can be obtained     from the Tenable Downloads Portal: https://www.tenable.com/downloads/security-center (CVE-2023-43622,     CVE-2023-45802)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-433 advisory.

  - Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server:
    through 2.4.57. (CVE-2023-31122)

  - An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of     that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the     server, similar to the well known slow loris attack pattern. This has been fixed in version 2.4.58, so     that such connection are terminated properly after the configured connection timeout. This issue affects     Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which     fixes the issue. (CVE-2023-43622)

  - When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory     resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A     client could send new requests and resets, keeping the connection busy and open and causing the memory     footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run     out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid     Reset Exploit) with their own test client. During normal HTTP/2 use, the probability to hit this bug is     very low. The kept memory would not become noticeable before the connection closes or times out. Users are     recommended to upgrade to version 2.4.58, which fixes the issue. (CVE-2023-45802)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of httpd24 installed on the remote host is prior to 2.4.58-1.101. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2023-1877 advisory.

  - Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server:
    through 2.4.57. (CVE-2023-31122)

  - An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of     that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the     server, similar to the well known slow loris attack pattern. This has been fixed in version 2.4.58, so     that such connection are terminated properly after the configured connection timeout. This issue affects     Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which     fixes the issue. (CVE-2023-43622)

  - When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory     resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A     client could send new requests and resets, keeping the connection busy and open and causing the memory     footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run     out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid     Reset Exploit) with their own test client. During normal HTTP/2 use, the probability to hit this bug is     very low. The kept memory would not become noticeable before the connection closes or times out. Users are     recommended to upgrade to version 2.4.58, which fixes the issue. (CVE-2023-45802)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of httpd installed on the remote host is prior to 2.4.58-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2322 advisory.

  - Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server:
    through 2.4.57. (CVE-2023-31122)

  - An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of     that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the     server, similar to the well known slow loris attack pattern. This has been fixed in version 2.4.58, so     that such connection are terminated properly after the configured connection timeout. This issue affects     Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which     fixes the issue. (CVE-2023-43622)

  - When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory     resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A     client could send new requests and resets, keeping the connection busy and open and causing the memory     footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run     out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid     Reset Exploit) with their own test client. During normal HTTP/2 use, the probability to hit this bug is     very low. The kept memory would not become noticeable before the connection closes or times out. Users are     recommended to upgrade to version 2.4.58, which fixes the issue. (CVE-2023-45802)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.58. It is, therefore, affected by multiple vulnerabilities:

 - Out-of-bounds read vulnerability in mod_macro of Apache HTTP Server. (CVE-2023-31122)

 - An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known slow loris attack pattern. (CVE-2023-43622)

 - A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. (CVE-2023-45802) Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of httpd installed on the remote host is prior to 2.4.58. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2023-292-01 advisory.

  - mod_macro buffer over-read: Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue     affects Apache HTTP Server: through 2.4.57. Acknowledgements: finder: David Shoon (github/davidshoon)     (CVE-2023-31122)

  - Apache HTTP Server: DoS in HTTP/2 with initial windows size 0: An attacker, opening a HTTP/2 connection     with an initial window size of 0, was able to block handling of that connection indefinitely in Apache     HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known slow     loris attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated     properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55     through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
    Acknowledgements: (CVE-2023-43622)

  - Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST: When a HTTP/2 stream was reset     (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed     immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and     resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On     connection close, all resources were reclaimed, but the process might run out of memory before that. This     was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own     test client. During normal HTTP/2 use, the probability to hit this bug is very low. The kept memory     would not become noticeable before the connection closes or times out. Users are recommended to upgrade to     version 2.4.58, which fixes the issue. Acknowledgements: (CVE-2023-45802)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the f923205f-6e66-11ee-85eb-84a93843eb75 advisory.

  - mod_macro buffer over-read: Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue     affects Apache HTTP Server: through 2.4.57. Acknowledgements: finder: David Shoon (github/davidshoon)     (CVE-2023-31122)

  - Apache HTTP Server: DoS in HTTP/2 with initial windows size 0: An attacker, opening a HTTP/2 connection     with an initial window size of 0, was able to block handling of that connection indefinitely in Apache     HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known slow     loris attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated     properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55     through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
    Acknowledgements: (CVE-2023-43622)

  - Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST: When a HTTP/2 stream was reset     (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed     immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and     resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On     connection close, all resources were reclaimed, but the process might run out of memory before that. This     was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own     test client. During normal HTTP/2 use, the probability to hit this bug is very low. The kept memory     would not become noticeable before the connection closes or times out. Users are recommended to upgrade to     version 2.4.58, which fixes the issue. Acknowledgements: (CVE-2023-45802)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache httpd installed on the remote host is prior to 2.4.58. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.58 advisory.

  - Apache HTTP Server: DoS in HTTP/2 with initial windows size 0: An attacker, opening a HTTP/2 connection     with an initial window size of 0, was able to block handling of that connection indefinitely in Apache     HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known slow     loris attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated     properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55     through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
    Acknowledgements: (CVE-2023-43622)

  - Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST: When a HTTP/2 stream was reset     (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed     immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and     resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On     connection close, all resources were reclaimed, but the process might run out of memory before that. This     was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own     test client. During normal HTTP/2 use, the probability to hit this bug is very low. The kept memory     would not become noticeable before the connection closes or times out. Users are recommended to upgrade to     version 2.4.58, which fixes the issue. Acknowledgements: (CVE-2023-45802)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
204490	Photon OS 4.0: Httpd PHSA-2023-4.0-0502	Nessus	PhotonOS Local Security Checks	high
195044	Oracle Linux 9 : mod_http2 (ELSA-2024-2368)	Nessus	Oracle Linux Local Security Checks	high
194802	RHEL 9 : mod_http2 (RHSA-2024:2368)	Nessus	Red Hat Local Security Checks	high
193369	Debian dsa-5662 : apache2 - security update	Nessus	Debian Local Security Checks	high
192234	FreeBSD : www/varnish7 -- Denial of Service (05b7180b-e571-11ee-a1c0-0050569f0b83)	Nessus	FreeBSD Local Security Checks	high
187074	Tenable SecurityCenter Multiple Vulnerabilities (TNS-2023-44)	Nessus	Misc.	high
186191	Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 : Apache HTTP Server vulnerabilities (USN-6506-1)	Nessus	Ubuntu Local Security Checks	high
186172	Tenable Security Center 5.23.1 / 6.0.0 / 6.1.0 / 6.1.1 / 6.2.0 Multiple Vulnerabilities (TNS-2023-42)	Nessus	Misc.	high
185718	Amazon Linux 2023 : httpd, httpd-core, httpd-devel (ALAS2023-2023-433)	Nessus	Amazon Linux Local Security Checks	high
184389	Amazon Linux AMI : httpd24 (ALAS-2023-1877)	Nessus	Amazon Linux Local Security Checks	high
184280	Amazon Linux 2 : httpd (ALAS-2023-2322)	Nessus	Amazon Linux Local Security Checks	high
114090	Apache 2.4.x < 2.4.58 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
183430	Slackware Linux 14.0 / 14.1 / 14.2 / 15.0 / current httpd Multiple Vulnerabilities (SSA:2023-292-01)	Nessus	Slackware Local Security Checks	high
183404	FreeBSD : Apache httpd -- Multiple vulnerabilities (f923205f-6e66-11ee-85eb-84a93843eb75)	Nessus	FreeBSD Local Security Checks	high
183391	Apache 2.4.x < 2.4.58 Multiple Vulnerabilities	Nessus	Web Servers	high

Detections

Analytics

CVE-2023-43622

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high