Alpine: multiple apache2 packages: security update to 2.4.57-r3 (deprecated)

high Tenable Cloud Security Plugin ID 401395

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server:
through 2.4.57. (CVE-2023-31122)

- An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of
that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the
server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so
that such connection are terminated properly after the configured connection timeout. This issue affects
Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which
fixes the issue. (CVE-2023-43622)

- When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory
resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A
client could send new requests and resets, keeping the connection busy and open and causing the memory
footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run
out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid
Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is
very low. The kept memory would not become noticeable before the connection closes or times out. Users are
recommended to upgrade to version 2.4.58, which fixes the issue. (CVE-2023-45802)

See Also

https://git.alpinelinux.org/aports/commit/?id=c9ecd983462faac61070d84a72084faea9a1b7df

https://git.alpinelinux.org/aports/commit/?id=fc527039dcbd1325aa1bd6991322448e09aeebbd

Plugin Details

Severity: High

ID: 401395

Version: Revision 1.34

Type: Local

Published: 10/19/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2023-43622

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/19/2023

Vulnerability Publication Date: 10/19/2023

Reference Information

CVE: CVE-2023-31122, CVE-2023-43622, CVE-2023-45802

IAVA: 2023-A-0572