wdormann commented on PR #10: URL: https://github.com/apache/httpd-site/pull/10#issuecomment-1759629482
I'm not sure that I'd suggest that CVE-2023-44487 doesn't have an impact on Apache. Using a simple python-based PoC exploit from a **single** attacking host with fast bandwidth against Apache (default Ubuntu 22.04 install with http2 enabled) running on a 32GB machine will OOM kill the apache2 process in about 6 minutes in my testing. I suppose this assumes that Ubuntu isn't disabling whatever default protections might be in place against CVE-2023-44487, if those protections are indeed a thing. ``` [Thu Oct 12 13:09:58 2023] Out of memory: Killed process 1328 (apache2) total-vm:63798416kB, anon-rss:31847208kB, file-rss:1332kB, shmem-rss:64kB, UID:33 pgtables:122424kB oom_score_adj:0 ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@httpd.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
