Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document non-impact of CVE-2023-44487 #10

Closed
wants to merge 1 commit into from
Closed

Document non-impact of CVE-2023-44487 #10

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
19 changes: 19 additions & 0 deletions content/security_report.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,25 @@ Apache HTTP Server vulnerabilities are labelled with
[CVE](http://cve.mitre.org) (Common Vulnerabilities and Exposures)
identifiers.

# Impact of third-party issues {#thirdparty}

This section describes issues that are not directly present in
Apache HTTP Server.

## CVE-2023-44487 HTTP/2 'Rapid Reset' {#CVE-2023-44487}

Apache HTTP Server is not impacted by the problem described in
[CVE-2023-44487](https://www.cve.org/CVERecord?id=CVE-2023-44487):
the long-standing measures we have in place to limit excessive load
from clients are effective in this scenario. The attack described
will cause extra CPU usage on your Apache HTTP Server process, but
not impact any backends.

As an extra mitigation, if you upgrade the [libnghttp2](http://nghttp2.org/)
dependency of `mod_http2` to [at least version 1.57.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)
this will completely remove the impact from Rapid Reset exploits.


# Historical Releases {#historical}

Earlier versions of Apache HTTP Server are no longer receiving security
Expand Down