Asterisk
Project Security Advisory -
Product |
Asterisk |
Summary |
Remote Crash Vulnerability in PJSIP channel driver |
Nature of Advisory |
Denial of Service |
Susceptibility |
Remote Authenticated Sessions |
Severity |
Moderate |
Exploits Known |
No |
Reported On |
April 6, 2021 |
Reported By |
Ivan Poddubny |
Posted On |
|
Last Updated On |
|
Advisory Contact |
Jcolp AT sangoma DOT com |
CVE Name |
CVE-2021-31878 |
Description |
When Asterisk receives a re-INVITE without SDP after having sent a BYE request a crash will occur. This occurs due to the Asterisk channel no longer being present while code assumes it is. |
Modules Affected |
res_pjsip_session.c |
Resolution |
Upgrade to one of the fixed versions of Asterisk or apply the appropriate patch. |
Affected Versions |
||
Product |
Release Series |
|
Asterisk Open Source |
16.x |
16.17.0, 16.18.0, 16.19.0 |
Asterisk Open Source |
18.x |
18.3.0, 18.4.0, 18.5.0 |
Corrected In |
|
Product |
Release |
Asterisk Open Source |
16.19.1, 18.5.1 |
Patches |
|
Patch URL |
Revision |
https://downloads.digium.com/pub/security/ |
Asterisk 16 |
https://downloads.digium.com/pub/security/ |
Asterisk 18 |
Links |
https://issues.asterisk.org/jira/browse/ASTERISK-29381 https://downloads.asterisk.org/pub/security/ |
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later
versions; if so, the latest version will be posted at
https://downloads.digium.com/pub/security/ |
Revision History |
||
Date |
Editor |
Revisions Made |
April 28, 2021 |
Joshua Colp |
Initial revision |
Asterisk Project Security
Advisory -
Copyright
©
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.