Showing 1 - 3 of 3

CVE-2023-45802

Status Candidate

Overview

When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Related Files

Red Hat Security Advisory 2024-2891-03: Posted May 17, 2024; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2024-2891-03 - An update for the httpd:2.4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.; tags | advisory, denial of service; systems | linux, redhat; advisories | CVE-2023-45802; SHA-256 | f2d9f7454882a039967a4ca78fc338fae962f63091d1b119f0dbe378bbe31486; Download | Favorite | View

Debian Security Advisory 5662-1: Posted Apr 17, 2024; Authored by Debian | Site debian.org; Debian Linux Security Advisory 5662-1 - Multiple vulnerabilities have been discovered in the Apache HTTP server, which may result in HTTP response splitting or denial of service.; tags | advisory, web, denial of service, vulnerability; systems | linux, debian; advisories | CVE-2023-31122, CVE-2023-38709, CVE-2023-43622, CVE-2023-45802, CVE-2024-24795, CVE-2024-27316; SHA-256 | 91dd197c5a6d8baaed2ebca649cbbb006dfaa18a448d23acca955357225d36eb; Download | Favorite | View

Ubuntu Security Notice USN-6506-1: Posted Nov 22, 2023; Authored by Ubuntu | Site security.ubuntu.com; Ubuntu Security Notice 6506-1 - David Shoon discovered that the Apache HTTP Server mod_macro module incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause the server to crash, resulting in a denial of service. Prof. Sven Dietrich, Isa Jafarov, Prof. Heejo Lee, and Choongin Lee discovered that the Apache HTTP Server incorrectly handled certain HTTP/2 connections. A remote attacker could possibly use this issue to cause the server to consume resources, leading to a denial of service. This issue only affected Ubuntu 23.04, and Ubuntu 23.10.; tags | advisory, remote, web, denial of service; systems | linux, ubuntu; advisories | CVE-2023-31122, CVE-2023-43622, CVE-2023-45802; SHA-256 | 8a919d1a4d307c69872670d645ac6969f558a3c26282d75583807e9eb42825c5; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 293 files
Ubuntu 64 files
Debian 22 files
Gentoo 8 files
Google Security Research 7 files
LiquidWorm 6 files
Apple 5 files
Jann Horn 3 files
Spencer McIntyre 3 files
Milad Karimi 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,175)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,140)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,480)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,022)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

CVE-2023-45802

Overview

Related Files

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems