CVE-2023-45802 Overview
CVE-2023-45802 is a Memory Leak vulnerability affecting Apache HTTP Server's HTTP/2 implementation. When a HTTP/2 stream is reset (RST frame) by a client, there exists a time window where the request's memory resources are not reclaimed immediately. Instead, de-allocation is deferred to connection close. A malicious client could exploit this behavior by continuously sending new requests and resets, keeping the connection busy and open while causing the memory footprint to grow unbounded. The process may run out of memory before the connection closes or times out.
This vulnerability was discovered during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit). While the probability of triggering this bug during normal HTTP/2 use is low, a determined attacker can deliberately exploit this behavior to cause denial of service through resource exhaustion.
Critical Impact
Attackers can cause memory exhaustion on Apache HTTP Server by exploiting the delayed memory deallocation in HTTP/2 stream reset handling, leading to denial of service conditions.
Affected Products
- Apache HTTP Server (versions prior to 2.4.58)
- Fedora 37, 38, and 39
- Debian Linux 10.0
Discovery Timeline
- 2023-10-23 - CVE-2023-45802 published to NVD
- 2025-08-25 - Last updated in NVD database
Technical Details for CVE-2023-45802
Vulnerability Analysis
The vulnerability resides in Apache HTTP Server's HTTP/2 protocol implementation within the mod_http2 module. When processing HTTP/2 RST_STREAM frames, the server fails to immediately reclaim memory resources associated with the reset stream. This improper resource shutdown behavior (CWE-404) creates a race condition where memory deallocation is deferred until the entire connection is closed.
Under normal HTTP/2 operation, this behavior has minimal impact since connections eventually close and resources are properly reclaimed. However, an attacker can exploit this weakness by establishing a persistent HTTP/2 connection and rapidly cycling through request/reset sequences. Each reset cycle accumulates unreleased memory, and with sufficient iterations, the server's memory can be exhausted before connection timeout occurs.
This vulnerability is particularly dangerous when combined with knowledge of CVE-2023-44487 (HTTP/2 Rapid Reset), as attackers already familiar with HTTP/2 stream manipulation techniques can readily adapt their tooling to exploit this memory leak.
Root Cause
The root cause is improper resource shutdown or release (CWE-404) in the HTTP/2 stream handling code. When a client sends an RST_STREAM frame to reset an active request, the server correctly acknowledges the reset but delays memory deallocation. The memory buffers allocated for the request remain in use until the underlying connection is terminated, creating a window for memory accumulation. This design flaw allows unbounded memory growth when an attacker maintains a persistent connection while continuously resetting streams.
Attack Vector
The attack vector is network-based and does not require authentication or user interaction. An attacker can exploit this vulnerability remotely by:
- Establishing an HTTP/2 connection to the target Apache HTTP Server
- Initiating multiple HTTP/2 streams with requests
- Immediately sending RST_STREAM frames to reset each stream
- Repeating steps 2-3 in rapid succession while keeping the connection open
- The server's memory footprint grows with each reset cycle
- Eventually, the server exhausts available memory, causing denial of service
The attack requires network access to the vulnerable server and the ability to maintain a persistent HTTP/2 connection. While the attack complexity is higher than some DoS vectors, the technique can be automated and scaled effectively.
Detection Methods for CVE-2023-45802
Indicators of Compromise
- Unusual memory consumption growth on Apache HTTP Server processes without corresponding increase in legitimate traffic
- High volume of HTTP/2 RST_STREAM frames from single client connections
- Long-lived HTTP/2 connections with abnormally high stream reset counts
- Apache error logs showing memory allocation failures or out-of-memory conditions
Detection Strategies
- Monitor Apache HTTP Server process memory usage for sustained growth patterns over time
- Implement HTTP/2 connection monitoring to identify clients sending excessive RST_STREAM frames
- Configure alerting for Apache processes exceeding memory thresholds
- Analyze HTTP/2 traffic patterns for anomalous request/reset ratios per connection
Monitoring Recommendations
- Deploy network-level monitoring for HTTP/2 frame analysis, specifically tracking RST_STREAM frame frequency
- Enable Apache status module (mod_status) to monitor connection and memory metrics
- Implement automated memory consumption alerts with appropriate baselines for normal operation
- Consider logging HTTP/2 stream lifecycle events for forensic analysis
How to Mitigate CVE-2023-45802
Immediate Actions Required
- Upgrade Apache HTTP Server to version 2.4.58 or later immediately
- Review and apply security patches from your Linux distribution vendor
- Implement connection rate limiting and stream limits for HTTP/2 connections as a defense-in-depth measure
- Monitor server memory utilization during the upgrade planning period
Patch Information
Apache has released version 2.4.58 which fixes this memory leak vulnerability. Users should upgrade to this version or later to remediate CVE-2023-45802. The official security advisory is available at the Apache HTTPD Vulnerabilities page.
Distribution-specific patches are available:
- Fedora users should apply updates from the Fedora Package Announcements
- Debian users should reference the Debian LTS Announcement
- NetApp customers should review the NetApp Security Advisory
Workarounds
- If immediate patching is not possible, consider temporarily disabling HTTP/2 support by removing Protocols h2 h2c http/1.1 directive or setting Protocols http/1.1
- Implement connection limits using MaxRequestWorkers and MaxConnectionsPerChild directives to limit memory impact
- Configure aggressive timeout values using Timeout and KeepAliveTimeout directives to force connection closures
- Deploy a reverse proxy or load balancer in front of Apache to provide additional HTTP/2 traffic filtering
# Disable HTTP/2 temporarily in Apache configuration
# Edit /etc/httpd/conf/httpd.conf or /etc/apache2/apache2.conf
# Comment out or remove H2 protocols
# Protocols h2 h2c http/1.1
# Replace with HTTP/1.1 only
Protocols http/1.1
# Reduce connection persistence to minimize attack window
KeepAliveTimeout 5
MaxKeepAliveRequests 100
# Restart Apache to apply changes
# systemctl restart httpd
# or
# systemctl restart apache2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
