Asterisk Project Security Advisory - AST-2022-005

Product

Asterisk

Summary

pjproject: undefined behavior after freeing a dialog set

Nature of Advisory

Denial of service

Susceptibility

Remote unauthenticated sessions

Severity

Major

Exploits Known

Yes

Reported On

March 3, 2022

Reported By

Sauw Ming

Posted On

March 4, 2022

Last Updated On

March 3, 2022

Advisory Contact

kharwell AT sangoma DOT com

CVE Name

CVE-2022-23608



Description

When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etc…) after a dialog set is prematurely freed.

Modules Affected

bundled pjproject


Resolution

If you use “with-pjproject-bundled” then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch.


Affected Versions

Product

Release Series


Asterisk Open Source

16.x

All versions

Asterisk Open Source

18.x

All versions

Asterisk Open Source

19.x

All versions

Certified Asterisk

16.x

All versions


Corrected In

Product

Release

Asterisk Open Source

16.24.1,18.10.1,19.2.1

Certified Asterisk

16.8-cert13




Patches

Patch URL

Revision

https://downloads.digium.com/pub/security/AST-2022-005-16.diff

Asterisk 16

https://downloads.digium.com/pub/security/AST-2022-005-18.diff

Asterisk 18

https://downloads.digium.com/pub/security/AST-2022-005-19.diff

Asterisk 19

https://downloads.digium.com/pub/security/AST-2022-005-16.8.diff

Certified Asterisk 16.8



Links

https://issues.asterisk.org/jira/browse/ASTERISK-29945

https://downloads.asterisk.org/pub/security/AST-2022-005.html

https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62


Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-005.pdf and https://downloads.digium.com/pub/security/AST-2022-005.html


Revision History

Date

Editor

Revisions Made

March 3, 2022

Kevin Harwell

Initial revision


Asterisk Project Security Advisory - AST-2022-005
Copyright © 2022 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.