Amazon Linux 2 : httpd (ALAS-2023-2322)

high Nessus Plugin ID 184280

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

The version of httpd installed on the remote host is prior to 2.4.58-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2322 advisory.

Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server:
through 2.4.57. (CVE-2023-31122)

A flaw was found in httpd. This flaw allows an attacker opening an HTTP/2 connection with an initial window size of 0 to block handling of that connection indefinitely in the Apache HTTP Server. This vulnerability can exhaust worker resources in the server, similar to the well-known slow loris attack pattern. (CVE-2023-43622)

DescriptionA flaw was found in mod_http2. When a HTTP/2 stream is reset (RST frame) by a client, there is a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open, causing the memory footprint to keep on growing. On connection close, all resources are reclaimed but the process might run out of memory before connection close.

StatementDuring normal HTTP/2 use, the probability of encountering this issue is very low. The kept memory would not become noticeable before the connection closes or times out.

MitigationMitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. (CVE-2023-45802)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update httpd' to update your system.

See Also

https://alas.aws.amazon.com/AL2/ALAS-2023-2322.html

https://alas.aws.amazon.com/cve/html/CVE-2023-31122.html

https://alas.aws.amazon.com/cve/html/CVE-2023-43622.html

https://alas.aws.amazon.com/cve/html/CVE-2023-45802.html

https://alas.aws.amazon.com/faqs.html

Plugin Details

Severity: High

ID: 184280

File Name: al2_ALAS-2023-2322.nasl

Version: 1.1

Type: local

Agent: unix

Published: 11/2/2023

Updated: 12/11/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2023-43622

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:httpd-tools, p-cpe:/a:amazon:linux:mod_ldap, p-cpe:/a:amazon:linux:mod_proxy_html, p-cpe:/a:amazon:linux:mod_session, p-cpe:/a:amazon:linux:mod_ssl, cpe:/o:amazon:linux:2, p-cpe:/a:amazon:linux:httpd-devel, p-cpe:/a:amazon:linux:httpd-debuginfo, p-cpe:/a:amazon:linux:mod_md, p-cpe:/a:amazon:linux:httpd, p-cpe:/a:amazon:linux:httpd-manual, p-cpe:/a:amazon:linux:httpd-filesystem

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/30/2023

Vulnerability Publication Date: 10/19/2023

Reference Information

CVE: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802