Asterisk Project Security Advisory - AST-2022-006

Product

Asterisk

Summary

pjproject: unconstrained malformed multipart SIP message

Nature of Advisory

Out of bounds memory access

Susceptibility

Remote unauthenticated sessions

Severity

Minor

Exploits Known

Yes

Reported On

March 3, 2022

Reported By

Sauw Ming

Posted On

March 4, 2022

Last Updated On

March 3, 2022

Advisory Contact

kharwell AT sangoma DOT com

CVE Name

CVE-2022-21723



Description

If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, it’s currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution.

Modules Affected

bundled pjproject


Resolution

If you use “with-pjproject-bundled” then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch.


Affected Versions

Product

Release Series


Asterisk Open Source

16.x

All versions

Asterisk Open Source

18.x

All versions

Asterisk Open Source

19.x

All versions

Certified Asterisk

16.x

All versions


Corrected In

Product

Release

Asterisk Open Source

16.24.1,18.10.1,19.2.1

Certified Asterisk

16.8-cert13




Patches

Patch URL

Revision

https://downloads.digium.com/pub/security/AST-2022-006-16.diff

Asterisk 16

https://downloads.digium.com/pub/security/AST-2022-006-18.diff

Asterisk 18

https://downloads.digium.com/pub/security/AST-2022-006-19.diff

Asterisk 19

https://downloads.digium.com/pub/security/AST-2022-006-16.8.diff

Certified Asterisk 16.8



Links

https://issues.asterisk.org/jira/browse/ASTERISK-29945

https://downloads.asterisk.org/pub/security/AST-2022-006.html

https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-006.pdf and https://downloads.digium.com/pub/security/AST-2022-006.html


Revision History

Date

Editor

Revisions Made

March 3, 2022

Kevin Harwell

Initial revision


Asterisk Project Security Advisory - AST-2022-006
Copyright © 2022 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.