Document non-impact of CVE-2023-44487

[raboof]

We're getting questions about the impact of CVE-2023-44487 on Apache HTTP Server. While there's some information available (https://chaos.social/@icing/111212195435976222, https://chaos.social/@icing/111212195435976222) it might be good to have a statement around this on our own site.

We don't have a great place for this yet: https://httpd.apache.org/security/vulnerabilities_24.html seems like the logical place, though as that's generated from the CVEs it might be fiddly to fit in right now. Perhaps we should start with a section on https://httpd.apache.org/security_report.html and then move it once we come up with a better place for it?

[wdormann]

I'm not sure that I'd suggest that CVE-2023-44487 doesn't have an impact on Apache.
Using a simple python-based PoC exploit from a single attacking host with fast bandwidth against Apache (default Ubuntu 22.04 install with http2 enabled) running on a 32GB machine will OOM kill the apache2 process in about 6 minutes in my testing. I suppose this assumes that Ubuntu isn't disabling whatever default protections might be in place against CVE-2023-44487, if those protections are indeed a thing.

[Thu Oct 12 13:09:58 2023] Out of memory: Killed process 1328 (apache2) total-vm:63798416kB, anon-rss:31847208kB, file-rss:1332kB, shmem-rss:64kB, UID:33 pgtables:122424kB oom_score_adj:0

[icing]

I'm not sure that I'd suggest that CVE-2023-44487 doesn't have an impact on Apache. Using a simple python-based PoC exploit from a single attacking host with fast bandwidth against Apache (default Ubuntu 22.04 install with http2 enabled) running on a 32GB machine will OOM kill the apache2 process in about 6 minutes in my testing. I suppose this assumes that Ubuntu isn't disabling whatever default protections might be in place against CVE-2023-44487, if those protections are indeed a thing.

[Thu Oct 12 13:09:58 2023] Out of memory: Killed process 1328 (apache2) total-vm:63798416kB, anon-rss:31847208kB, file-rss:1332kB, shmem-rss:64kB, UID:33 pgtables:122424kB oom_score_adj:0

Interesting. I run the patched h2load distributed as demo by google before the announcement. I send over 1 GB of HEADER+RST to httpd and the memory does not increase after an initial warm up time. I tested the current version of mod_http2 v2.0.24 and the v2.0.11 that was released as part of Apache httpd 2.4.57.

Maybe your script is doing something different or triggering another effect? Is there a chance I can ran this for myself?

[rpluem]

It also needs to be considered that Ubuntu 22.04 which was used for the test uses httpd 2.4.52 and nghttp2 1.43 (+ whatever patches they have added). Maybe these older versions are still vulnerable?

[icing]

It also needs to be considered that Ubuntu 22.04 which was used for the test uses httpd 2.4.52 and nghttp2 1.43 (+ whatever patches they have added). Maybe these older versions are still vulnerable?

A valid question. I am not sure if the httpd project is able to make security assessments for releases of distros. I certainly do not have the manpower to do those.

[rpluem]

Let's wait if the the attacking script can be provided. If it does not trigger with our latest release I guess we are fine in general. Of course it would be interesting to know then since what version / combination with nghttp2 this is gone.

[icing]

OK, so in testing Apache 2.4.57 (with the same nghttp2) I can no longer reproduce the OOM condition. I suggest rather than using Apache HTTP Server is not impacted, perhaps As of version <version>, Apache HTTP Server is not impacted. Assuming you know when this protection was put in place. I'd also possibly reconsider using the long-standing measures we have in place language, especially depending on which version has protections against CVE-2023-44487.

Thanks for verifying. I agree that the currently proposed language might not be helpful. The counter-measure against the attack is indeed in place since 2016ish, but there might be other side effects that trigger a DoS in earlier versions.

e.g. if the protections came into play with 2.4.55 (as an example... I don't know if this is when protections were put in place), then Apache might only be protected against CVE-2023-44487 for less than a year. Which wouldn't count as long-standing by a stretch.

This can also be misleading. The 2.4.52 in Ubuntu LTS is most certainly not the 2.4.52 as we released it. Distros apply patches of their own which we do not know about. The responsibility, in my mind, lies with the maintainers of the LTS foremost.

So, we can find the earlier versions of our releases that protect, but if that helps customers is questionable.

[wdormann]

You seem to have replied to a message that I had deleted, due to a failure in my test by way of not properly enabling the http2 protocol.
Even with Apache 2.4.57, combined with the nghttp2 that comes with Ubuntu 22.04, httpd will eventually get killed by oom-kill when under attack using CVE-2023-44487.
Only nghttp2 v1.57.0 has a fix for CVE-2023-44487, so I don't think that Apache is in a place to say that it's not affected.

[icing]

@wdormann in that case, it would be helpful to get access to your test script. If you want to keep that confidential, please contact us at our security mailing list.

[wdormann]

I've shared the PoC with the security list.

[DanielRuf]

Any updates regarding this?

[iamamoose]

Any updates regarding this?

Hi, see https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2023-45802