Apache HTTP Server vulnerabilities fixed in latest update - 20231023001

Overview

Apache has released version 2.4.58 for HTTP Server which contains fixes for several vulnerabilities.

What is the vulnerability?

• CVE-2023-31122 - mod_macro buffer over-read
• CVE-2023-43622 - Apache HTTP Server: DoS in HTTP/2 with initial windows size 0
• CVE-2023-45802 - Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST

What is vulnerable?

The vulnerability affects the following products:

• Apache HTTP Server versions \<=2.4.57

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month... (refer Patch Management):

• Apache HTTP Server Project