Asterisk
Project Security Advisory -
|
Product |
Asterisk |
|
Summary |
Exhaustion of Allowed Concurrent HTTP Connections |
|
Nature of Advisory |
Denial Of Service |
|
Susceptibility |
Remote Unauthenticated Sessions |
|
Severity |
Moderate |
|
Exploits Known |
No |
|
Reported On |
May 25, 2014 |
|
Reported By |
Richard Mudgett |
|
Posted On |
May 9, 2014 |
|
Last Updated On |
|
|
Advisory Contact |
Richard Mudgett <rmudgett AT digium DOT com> |
|
CVE Name |
CVE-2014-4047 |
|
Description |
Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked. |
|
Resolution |
The patched versions now have a session_inactivity timeout option in http.conf that defaults to 30000 ms. Users should upgrade to a corrected version, apply the released patches, or disable HTTP support. |
|
Affected Versions |
||
|
Product |
Release Series |
|
|
Asterisk Open Source |
1.8.x |
All versions |
|
Asterisk Open Source |
11.x |
All versions |
|
Asterisk Open Source |
12.x |
All versions |
|
Certified Asterisk |
1.8.15 |
All versions |
|
Certified Asterisk |
11.6 |
All versions |
|
Corrected In |
|
|
Product |
Release |
|
Asterisk Open Source |
1.8.28.1, 11.10.1, 12.3.1 |
|
Certified Asterisk |
1.8.15-cert6, 11.6-cert3 |
|
Patches |
|
|
SVN URL |
Revision |
|
http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.diff |
Asterisk 1.8 |
|
http://downloads.asterisk.org/pub/security/AST-2014-007-11.diff |
Asterisk 11 |
|
http://downloads.asterisk.org/pub/security/AST-2014-007-12.diff |
Asterisk 12 |
|
http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.15.diff |
Certified Asterisk 1.8.15 |
|
http://downloads.asterisk.org/pub/security/AST-2014-007-11.6.diff |
Certified Asterisk 11.6 |
|
Links |
|
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later
versions; if so, the latest version will be posted at
http://downloads.digium.com/pub/security/ |
|
Revision History |
||
|
Date |
Editor |
Revisions Made |
|
May 9, 2014 |
Richard Mudgett |
Document Creation |
|
June 12, 2014 |
Matt Jordan |
Added CVE |
Asterisk
Project Security Advisory -
Copyright
©
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.