Asterisk
Project Security Advisory -
|
Product |
Asterisk |
|
Summary |
Remote Crash in PJSIP Channel Driver's Publish/Subscribe Framework |
|
Nature of Advisory |
Denial of Service |
|
Susceptibility |
Remote Unauthenticated Sessions |
|
Severity |
Moderate |
|
Exploits Known |
No |
|
Reported On |
March 17, 2014 |
|
Reported By |
John Bigelow <jbigelow AT digium DOT com> |
|
Posted On |
June 12, 2014 |
|
Last Updated On |
|
|
Advisory Contact |
Kevin Harwell <kharwell AT digium DOT com> |
|
CVE Name |
CVE-2014-4045 |
|
Description |
A remotely exploitable crash vulnerability exists in the PJSIP channel driver's pub/sub framework. If an attempt is made to unsubscribe when not currently subscribed and the endpoint's “sub_min_expiry” is set to zero, Asterisk tries to create an expiration timer with zero seconds, which is not allowed, so an assertion raised. |
|
Resolution |
Upgrade to a version with the patch integrated, apply the patch, or make sure the “sub_min_expiry” endpoint configuration option is greater than zero. |
|
Affected Versions |
||
|
Product |
Release Series |
|
|
Asterisk Open Source |
12.x |
All |
|
Corrected In |
|
|
Product |
Release |
|
Asterisk Open Source 12.x |
12.3.1 |
|
Patches |
|
|
SVN URL |
Revision |
|
http://downloads.asterisk.org/pub/security/AST-2014-005-12.diff |
Asterisk 12 |
|
Links |
|
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later
versions; if so, the latest version will be posted at
http://downloads.digium.com/pub/security/ |
|
Revision History |
||
|
Date |
Editor |
Revisions Made |
|
April 14, 2014 |
Kevin Harwell |
Document Creation |
|
June 12, 2014 |
Matt Jordan |
Added CVE |
Asterisk
Project Security Advisory -
Copyright
©
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.