[asterisk-dev] AST-2022-003: func_odbc: Possible SQL Injection

Asterisk Security Team security at asterisk.org
Thu Apr 14 17:57:44 CDT 2022

               Asterisk Project Security Advisory - AST-2022-003

          Product         Asterisk                                            
          Summary         func_odbc: Possible SQL Injection                   
     Nature of Advisory   SQL injection                                       
       Susceptibility     Remote unauthenticated sessions                     
          Severity        Low                                                 
       Exploits Known     No                                                  
        Reported On       January 5, 2022                                     
        Reported By       Leandro Dardini                                     
         Posted On        April 14, 2022                                      
      Last Updated On     April 12, 2022                                      
      Advisory Contact    Jcolp AT sangoma DOT com                            
          CVE Name        CVE-2022-26651                                      

      Description     Some databases can use backslashes to escape certain    
                      characters, such as backticks. If input is provided to  
                      func_odbc which includes backslashes it is possible     
                      for func_odbc to construct a broken SQL query and the   
                      SQL query to fail.                                      
                      Additionally while it has not yet been reproduced this  
                      security advisory is also being published to cover the  
                      case of SQL injection with the aim of database          
                      manipulation by an outside party.                       
    Modules Affected  func_odbc                                               

    Resolution  A new dialplan function, SQL_ESC_BACKSLASHES, has been added  
                to the func_odbc module which will escape backslashes. If     
                your usage of func_odbc may have input which includes         
                backslashes and your database uses backslashes to escape      
                backticks then use the dialplan function to escape the        
                A second option is to disable support for backslashes for     
                escaping in your database if the underlying database          
                supports it.                                                  

                               Affected Versions
                Product              Release Series  
         Asterisk Open Source             16.x       All versions             
         Asterisk Open Source             18.x       All versions             
         Asterisk Open Source             19.x       All versions             
          Certified Asterisk              16.x       All versions             

                                  Corrected In
                 Product                              Release                 
          Asterisk Open Source               16.25.2, 18.11.2, 19.3.2         
           Certified Asterisk                       16.8-cert14               

                              Patch URL                             Revision  
   https://downloads.digium.com/pub/security/AST-2022-003-16.diff   Asterisk  
   https://downloads.digium.com/pub/security/AST-2022-003-18.diff   Asterisk  
   https://downloads.digium.com/pub/security/AST-2022-003-19.diff   Asterisk  
   https://downloads.digium.com/pub/security/AST-2022-003-16.8.diff Certified 

     Links   https://issues.asterisk.org/jira/browse/ASTERISK-29838           

    Asterisk Project Security Advisories are posted at                        
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    https://downloads.digium.com/pub/security/AST-2022-003.pdf and            

                                Revision History
          Date                 Editor                  Revisions Made         
    February 15, 2022  Joshua Colp              Initial revision              

               Asterisk Project Security Advisory - AST-2022-003
               Copyright © 2022 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

More information about the asterisk-dev mailing list