Apache 2.4.56 and older bundled with Siteminder Access Gateway r12.8.x has been flagged for CVE-2023-43622 & CVE-2023-45802
search cancel

Apache 2.4.56 and older bundled with Siteminder Access Gateway r12.8.x has been flagged for CVE-2023-43622 & CVE-2023-45802

book

Article ID: 275324

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Apache 2.4.56 and older bundled with Siteminder Access Gateway r12.8.x has been flagged for CVE-2023-43622 & CVE-2023-45802

Environment

Product: Siteminder

Component: Access Gateway:

Version: r12.8.x

Operating System: ANY

Cause

Siteminder Access Gateway ships bundled with an instance of Apache HTTP Server.  The following is a list of Apache HTTP Server by Siteminder Access Gateway verion:

Access Gateway r12.8.4:   Apache HTTP Server 2.4.43
Access Gateway r12.8.5:   Apache HTTP Server 2.4.46
Access Gateway r12.8.6:   Apache HTTP Server 2.4.48
Access Gateway r12.8.6a: Apache HTTP Server 2.4.52
Access Gateway r12.8.7:   Apache HTTP Server 2.4.54

KB 262099 delivers Apache HTTP Server 2.4.56 for Access Gateway Server.
 
CVE-2023-43622 & CVE-2023-45802 have been published for a vulnerabilities impacting Apache HTTP Server <=2.4.57.

=================================
CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0

Severity: Low

Description: An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern.

This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.

This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.

Users are recommended to upgrade to version 2.4.58, which fixes the issue.

Impacted Versions: <=2.4.57

Remediation: Apache HTTP 2.4.58

---------------------------------
CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST

Severity: Moderate

Description: When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that.

This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out.

Users are recommended to upgrade to version 2.4.58, which fixes the issue

Impacted Versions: <=2.4.57

Remediation: Apache HTTP 2.4.58
=================================

Resolution

Both CVE-2023-43622 & CVE-2023-45802 are related to HTTP/2.  The HTTP/2 protocol is implemented in Apache HTTP Server with the 'mod_http2' module.  The instance of Apache HTTP Server bundled with Siteminder Access Gateway does NOT include the HTTP/2 module 'mod_http2'.

Here are the modules loaded in Siteminder Access Gateway by default:

mod_env.so
mod_log_config.so
mod_setenvif.so
mod_ssl.so
mod_socache_shmcb.so
mod_mime.so
mod_jk.so
mod_alias.so
mod_authz_core.so
mod_unixd.so
mod_slotmem_shm.so

You can see all of the modules being loaded in Apache on the Siteminder Access Gateway server by doing the following:

1) Logon to the Siteminder Access Gateway host.

2) browse to the following location:

<Install_Dir>/secure-proxy/httpd/conf/httpd.conf

3) Search for all of the modules being loaded.  They will look like this:

LoadModule env_module modules/mod_env.so

4) Review the modules in the following directory

<Install_Dir>/secure-proxy/httpd/modules/

You will notice that 'mod_http2' is not present.

 

No action is necessary.  The 'mod_http2' module is not included in the Apache HTTP Server instance shipped with Siteminder Access Gateway.   Siteminder Access Gateway is not susceptible to either CVE-2023-43622 or CVE-2023-45802.

Additional Information

Apache 2.4.x Vulnerabilities

Apache 2.4.56 for Siteminder Access Gateway 12.8.x