Three Apache HTTP Server Security Vulnerabilities to Watch Out For

by do son · October 19, 2023

The Apache HTTP Server, also known as Apache, is the most popular web server software in the world, powering over 36% of all websites. It is known for its reliability, security, and performance. However, like any software, Apache is not immune to security vulnerabilities.

Today, Apache Software Foundation revealed three security vulnerabilities in the Apache HTTP Server:

CVE-2023-31122: Out-of-bounds Read Vulnerability
CVE-2023-43622: Apache HTTP Server DoS in HTTP/2 with initial windows size 0
CVE-2023-45802: Apache HTTP Server HTTP/2 stream memory not reclaimed right away on RST

CVE-2023-31122: Out-of-bounds Read Vulnerability

Out-of-bounds Read vulnerabilities allow attackers to read data from memory that is outside of the intended bounds of a program. This can be exploited to steal sensitive data, such as passwords or credit card numbers.

This bug affects the mod_macro module of the Apache HTTP Server. It can be exploited by sending a specially crafted HTTP request to an affected server.

CVE-2023-43622: Apache HTTP Server DoS in HTTP/2 with initial windows size 0

Echoing the malevolent mechanisms of the infamous “slow loris” attack, this vulnerability can bring the server to its knees. By initiating an HTTP/2 connection with an initial window size of 0, malefactors can indefinitely suspend the handling of that connection. This sinister maneuver exhausts the server’s worker resources, essentially paralyzing it.

This vulnerability affects Apache HTTP Server versions 2.4.55 through 2.4.57.

CVE-2023-45802: Apache HTTP Server HTTP/2 stream memory not reclaimed right away on RST

Every server’s worst nightmare is running out of memory. This vulnerability, discovered during the testing of another vulnerability (CVE-2023-44487), opens the door for this scenario. When an HTTP/2 stream is reset by a client, there is a brief yet perilous window where the request’s memory resources linger, not being immediately reclaimed. While this might not be immediately noticeable during “normal” HTTP/2 use, an astute attacker could exploit this to exhaust the server’s memory. This vulnerability affects Apache HTTP Server versions 2.4.55 through 2.4.57.

What can you do to protect yourself?

The best way to protect yourself from these vulnerabilities is to upgrade to the latest version of Apache HTTP Server, version 2.4.58.