{
  "threat_severity" : "Moderate",
  "public_date" : "2023-10-10T00:00:00Z",
  "bugzilla" : {
    "description" : "httpd: mod_http2: DoS in HTTP/2 with initial window size 0",
    "id" : "2245153",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2245153"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.", "A flaw was found in the mod_http2 module of httpd. This flaw allows an attacker opening an HTTP/2 connection with an initial window size of 0 to block handling of that connection indefinitely. This vulnerability can exhaust worker resources in the server, similar to the well-known \"slow loris\" attack pattern." ],
  "statement" : "This flaw only affects configurations with mod_http2 loaded and being used. Also, if there is no HTTP2 server configured, the httpd server is not affected and no further mitigation is needed.\nThe httpd mod_http2 module is enabled by default on Red Hat Enterprise Linux 8 and 9 via the mod_http2 package. However, there is no HTTP2 server configured by default.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2368",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "mod_http2-0:2.0.26-1.el9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "httpd:2.4/mod_http2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat JBoss Core Services",
    "fix_state" : "Not affected",
    "package_name" : "mod_http2",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-43622\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-43622\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-43622" ],
  "name" : "CVE-2023-43622",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}