AST-2022-008

Asterisk Project Security Advisory – AST-2022-008

Product	Asterisk
Summary	Use after free in res_pjsip_pubsub.c
Nature of Advisory	Denial of Service
Susceptibility	Remote Authenticated Sessions
Severity	Minor
Exploits Known	No
Reported On	September 23, 2022
Reported By	Nappsoft
Posted On
Last Updated On	November 29, 2022
Advisory Contact	gjoseph AT sangoma DOT com
CVE Name	CVE-2022-42705

Description	Use after free in res_pjsip_pubsub.c may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing activity on a subscription via a reliable transport at the same time Asterisk is also performing activty on that subscription.
Modules Affected	res_pjsip_pubsub.c, res_pjsip_outbound_registration.c, pjsip_transport_events.c

Resolution

Modules have been updated to ensure concurrent activity is properly serialized to prevent the use-after-free.

Affected Versions
Product	Release Series
Asterisk Open Source	16.x	All Versions
Asterisk Open Source	18.x	All Versions
Asterisk Open Source	19.x	All Versions
Asterisk Open Source	20.x	All Versions
Certified Asterisk	18.9	All Versions

Corrected In
Product	Release
Asterisk Open Source	16.29.1
‍Asterisk Open Source	18.15.1
‍Asterisk Open Source	19.7.1
‍Asterisk Open Source	20.0.1
Certified Asterisk	18.9-cert3

Patches
Patch URL	Revision
https://downloads.digium.com/pub/security/AST-2022-008-16.diff	Asterisk 16
https://downloads.digium.com/pub/security/AST-2022-008-18.diff	Asterisk 18
https://downloads.digium.com/pub/security/AST-2022-008-19.diff	Asterisk 19
https://downloads.digium.com/pub/security/AST-2022-008-20.diff	Asterisk 20
https://downloads.digium.com/pub/security/AST-2022-008-18.9.diff	Certified Asterisk 18.9

Links

https://issues.asterisk.org/jira/browse/ASTERISK-30244

https://downloads.asterisk.org/pub/security/AST-2022-008.html

Asterisk Project Security Advisories are posted at https://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-008.pdf and https://downloads.digium.com/pub/security/AST-2022-008.html

Revision History
Date	Editor	Revisions Made
November 29, 2022	George Joseph	Initial Revision

Asterisk Project Security Advisory – AST-2022-008
Copyright © 2022 Sangoma Technologies, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.