Asterisk
Project Security Advisory -
Product |
Asterisk |
Summary |
pjproject: unconstrained malformed multipart SIP message |
Nature of Advisory |
Out of bounds memory access |
Susceptibility |
Remote unauthenticated sessions |
Severity |
Minor |
Exploits Known |
Yes |
Reported On |
March 3, 2022 |
Reported By |
Sauw Ming |
Posted On |
March 4, 2022 |
Last Updated On |
|
Advisory Contact |
kharwell AT sangoma DOT com |
CVE Name |
CVE-2022-21723 |
Description |
If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, it’s currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution. |
Modules Affected |
bundled pjproject |
Resolution |
If you use “with-pjproject-bundled” then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch. |
Affected Versions |
||
Product |
Release Series |
|
Asterisk Open Source |
16.x |
All versions |
Asterisk Open Source |
18.x |
All versions |
Asterisk Open Source |
19.x |
All versions |
Certified Asterisk |
16.x |
All versions |
Corrected In |
|
Product |
Release |
Asterisk Open Source |
16.24.1,18.10.1,19.2.1 |
Certified Asterisk |
16.8-cert13 |
|
|
Patches |
|
Patch URL |
Revision |
https://downloads.digium.com/pub/security/ |
Asterisk 16 |
https://downloads.digium.com/pub/security/ |
Asterisk 18 |
https://downloads.digium.com/pub/security/ |
Asterisk 19 |
https://downloads.digium.com/pub/security/ |
Certified Asterisk 16.8 |
Links |
https://issues.asterisk.org/jira/browse/ASTERISK-29945 https://downloads.asterisk.org/pub/security/ https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm |
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later
versions; if so, the latest version will be posted at
https://downloads.digium.com/pub/security/ |
Revision History |
||
Date |
Editor |
Revisions Made |
March 3, 2022 |
Kevin Harwell |
Initial revision |
Asterisk Project Security
Advisory -
Copyright
©
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.