CVE-2023-43622 Overview
CVE-2023-43622 is a denial of service vulnerability in Apache HTTP Server that allows an attacker to exhaust server worker resources by exploiting the HTTP/2 protocol's initial window size handling. By opening an HTTP/2 connection with an initial window size of 0, an attacker can cause the server to block handling of that connection indefinitely. This attack pattern is similar to the well-known "slow loris" attack and can effectively render affected Apache HTTP Server instances unavailable.
Critical Impact
Remote attackers can exhaust worker resources in Apache HTTP Server instances by opening malicious HTTP/2 connections with zero window size, causing denial of service conditions without authentication.
Affected Products
- Apache HTTP Server versions 2.4.55 through 2.4.57
- Systems running HTTP/2 protocol on affected Apache versions
- Web services and applications hosted on vulnerable Apache HTTP Server deployments
Discovery Timeline
- 2023-10-23 - CVE-2023-43622 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-43622
Vulnerability Analysis
This vulnerability (CWE-400: Uncontrolled Resource Consumption) exists in the HTTP/2 implementation within Apache HTTP Server. The HTTP/2 protocol uses flow control mechanisms including window sizes to manage data transmission between client and server. When a client initiates an HTTP/2 connection with an initial window size set to 0, the server's connection handler enters a blocking state while waiting for the window to open, effectively holding the connection indefinitely.
The vulnerability allows unauthenticated remote attackers to consume server resources without requiring any special privileges or user interaction. The attack can be executed over the network, making it particularly dangerous for internet-facing Apache HTTP Server deployments.
Root Cause
The root cause lies in improper handling of HTTP/2 connections where the initial flow control window size is set to 0. The server's connection handling logic failed to properly enforce timeouts for such connections, allowing them to persist indefinitely and consume worker threads. This represents a resource exhaustion issue where the server does not adequately protect against malicious connection configurations.
Attack Vector
The attack exploits the HTTP/2 flow control mechanism by establishing connections with a zero initial window size. An attacker can open multiple such connections to exhaust the server's worker pool, preventing legitimate requests from being processed. This attack is network-accessible and does not require authentication, making it accessible to any remote attacker who can reach the HTTP/2 endpoint.
The attack pattern mirrors the classic "slow loris" technique but leverages HTTP/2-specific flow control rather than incomplete HTTP/1.x requests. Each malicious connection ties up a worker resource indefinitely, and with sufficient connections, all available workers can be exhausted.
Detection Methods for CVE-2023-43622
Indicators of Compromise
- Unusual number of HTTP/2 connections with zero or minimal data transfer
- Server worker threads blocked on HTTP/2 connection handling
- Increased connection counts without corresponding request completion
- Server logs showing HTTP/2 connections timing out or failing to progress
Detection Strategies
- Monitor HTTP/2 connection states for connections stuck in flow control blocked state
- Alert on abnormally high numbers of concurrent HTTP/2 connections from single sources
- Track worker thread utilization and correlate with HTTP/2 connection patterns
- Implement network-level monitoring for HTTP/2 SETTINGS frames with zero window sizes
Monitoring Recommendations
- Deploy web application firewalls capable of inspecting HTTP/2 traffic characteristics
- Configure server monitoring to alert when worker thread pools approach exhaustion
- Enable detailed HTTP/2 connection logging to identify suspicious connection patterns
- Monitor server resource utilization for signs of worker thread starvation
How to Mitigate CVE-2023-43622
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.58 or later immediately
- Review and reduce the Timeout directive to limit connection blocking duration
- Consider temporarily disabling HTTP/2 protocol if upgrade is not immediately possible
- Implement rate limiting on incoming HTTP/2 connections at the network perimeter
Patch Information
Apache has released version 2.4.58 which properly terminates connections with zero initial window size after the configured connection timeout expires. Users should upgrade to this version to fully remediate the vulnerability. See the Apache HTTP Server Security Vulnerabilities page for official patch information and download links. Additional vendor guidance is available in the NetApp Security Advisory NTAP-20231027-0011.
Workarounds
- Reduce the Timeout directive value to minimize the duration connections can block
- Implement connection limits per IP address using mod_reqtimeout or network firewalls
- Deploy a reverse proxy or load balancer with HTTP/2 connection validation capabilities
- If HTTP/2 is not required, disable it by removing Protocols h2 h2c from configuration
# Configuration example - Mitigate by adjusting timeout and disabling HTTP/2
# In httpd.conf or relevant virtual host configuration
# Option 1: Reduce connection timeout
Timeout 30
# Option 2: Disable HTTP/2 if not required
# Remove or comment out the following line:
# Protocols h2 h2c http/1.1
# Option 3: Configure mod_reqtimeout for connection limits
<IfModule reqtimeout_module>
RequestReadTimeout header=20-40,minrate=500
RequestReadTimeout body=10-30,minrate=500
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
