AST-YYYY-NNN

Product	Asterisk
Summary	Remote Crash Vulnerability in H323 channel add on
Nature of Advisory	Exploitable Stack Buffer Underflow
Susceptibility	Remote Unauthenticated Sessions
Severity	Moderate
Exploits Known	Yes
Reported On
Reported By
Posted On
Last Updated On	November 30, 2022
Advisory Contact	mbradeen AT sangoma DOT com
CVE Name	CVE-2022-37325

Description	A zero length Called or Calling Party Number can cause a buffer under-run and Asterisk crash.
Modules Affected	ooh323

Resolution

If currently not loading the ooh323 module, no action is required. For others, please make sure that the h323 listen port is not publicly open and apply the patch when possible.

Affected Versions
Product	Release Series
Asterisk Open Source	16.x	All Versions
Asterisk Open Source	18.x	All Versions
Asterisk Open Source	19.x	All Versions
Asterisk Open Source	20.x	All Versions
Certified Asterisk	18.9.x	All Versions

Corrected In
Product	Release
Asterisk Open Source	16.29.1, 18.15.1, 19.7.1, 20.0.1
Certified Asterisk	Certified-18.9-cert3

Patches
Patch URL	Revision
https://downloads.digium.com/pub/security/AST-2022-007-16-16.diff	Asterisk 16
https://downloads.digium.com/pub/security/AST-2022-007-16-18.diff	Asterisk 18
https://downloads.digium.com/pub/security/AST-2022-007-16-17.diff	Asterisk 19
https://downloads.digium.com/pub/security/AST-2022-007-16-18.diff	Asterisk 20
https://downloads.digium.com/pub/security/AST-2022-007-16-18.9.diff	Certified Asterisk 18.9

Links

https://issues.asterisk.org/jira/browse/ASTERISK-30103

https://downloads.asterisk.org/pub/security/AST-2022-007.html

Asterisk Project Security Advisories are posted at http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-007.pdf and https://downloads.digium.com/pub/security/AST-2022-007.html

Revision History
Date	Editor	Revisions Made