CVE-2023-45802
Public on 2023-10-23
Modified on 2024-02-12
Description
Description
A flaw was found in mod_http2. When a HTTP/2 stream is reset (RST frame) by a client, there is a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open, causing the memory footprint to keep on growing. On connection close, all resources are reclaimed but the process might run out of memory before connection close.
Statement
During "normal" HTTP/2 use, the probability of encountering this issue is very low. The kept memory would not become noticeable before the connection closes or times out.
Mitigation
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A flaw was found in mod_http2. When a HTTP/2 stream is reset (RST frame) by a client, there is a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open, causing the memory footprint to keep on growing. On connection close, all resources are reclaimed but the process might run out of memory before connection close.
Statement
During "normal" HTTP/2 use, the probability of encountering this issue is very low. The kept memory would not become noticeable before the connection closes or times out.
Mitigation
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | httpd | 2023-10-30 | ALAS2-2023-2322 | Fixed |
| Amazon Linux 2023 | httpd | 2023-11-09 | ALAS2023-2023-433 | Fixed |
| Amazon Linux 1 | httpd24 | 2023-10-30 | ALAS-2023-1877 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
| NVD | CVSSv3 | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |