Asterisk
Project Security Advisory -
Product |
Asterisk |
Summary |
pjproject: undefined behavior after freeing a dialog set |
Nature of Advisory |
Denial of service |
Susceptibility |
Remote unauthenticated sessions |
Severity |
Major |
Exploits Known |
Yes |
Reported On |
March 3, 2022 |
Reported By |
Sauw Ming |
Posted On |
March 4, 2022 |
Last Updated On |
|
Advisory Contact |
kharwell AT sangoma DOT com |
CVE Name |
CVE-2022-23608 |
Description |
When acting as a UAC, and when placing an outgoing call to a target that then forks Asterisk may experience undefined behavior (crashes, hangs, etc…) after a dialog set is prematurely freed. |
Modules Affected |
bundled pjproject |
Resolution |
If you use “with-pjproject-bundled” then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch. |
Affected Versions |
||
Product |
Release Series |
|
Asterisk Open Source |
16.x |
All versions |
Asterisk Open Source |
18.x |
All versions |
Asterisk Open Source |
19.x |
All versions |
Certified Asterisk |
16.x |
All versions |
Corrected In |
|
Product |
Release |
Asterisk Open Source |
16.24.1,18.10.1,19.2.1 |
Certified Asterisk |
16.8-cert13 |
|
|
Patches |
|
Patch URL |
Revision |
https://downloads.digium.com/pub/security/ |
Asterisk 16 |
https://downloads.digium.com/pub/security/ |
Asterisk 18 |
https://downloads.digium.com/pub/security/ |
Asterisk 19 |
https://downloads.digium.com/pub/security/ |
Certified Asterisk 16.8 |
Links |
https://issues.asterisk.org/jira/browse/ASTERISK-29945 https://downloads.asterisk.org/pub/security/ https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62 |
Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later
versions; if so, the latest version will be posted at
https://downloads.digium.com/pub/security/ |
Revision History |
||
Date |
Editor |
Revisions Made |
March 3, 2022 |
Kevin Harwell |
Initial revision |
Asterisk Project Security
Advisory -
Copyright
©
Permission is hereby granted
to distribute and publish this advisory in its original, unaltered
form.