CVE-2023-45802: 
Apache HTTP Server vulnerability analysis and mitigation

CVE-2023-45802 is a vulnerability discovered in Apache HTTP Server's HTTP/2 implementation that affects versions 2.4.17 through 2.4.57. The vulnerability was identified during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) and was disclosed in October 2023 (Vendor Advisory).

When a HTTP/2 stream was reset (RST frame) by a client, there was a time window where the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. This implementation flaw allowed a client to send new requests and resets, keeping the connection busy and open, causing the memory footprint to continuously grow. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 MEDIUM with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is potential denial of service through memory exhaustion. While all resources were eventually reclaimed on connection close, the process might run out of memory before that point. During normal HTTP/2 use, the probability of encountering this bug was considered very low, as the retained memory would not become noticeable before the connection closes or times out (Vendor Advisory).

Users are recommended to upgrade to Apache HTTP Server version 2.4.58, which contains the fix for this vulnerability. The fix addresses the memory reclamation issue by ensuring proper resource cleanup when HTTP/2 streams are reset (Vendor Advisory).