[asterisk-dev] AST-2022-006: pjproject: unconstrained malformed multipart SIP message

Asterisk Security Team security at asterisk.org
Fri Mar 4 14:16:57 CST 2022


               Asterisk Project Security Advisory - AST-2022-006

         Product        Asterisk                                              
         Summary        pjproject: unconstrained malformed multipart SIP      
                        message                                               
    Nature of Advisory  Out of bounds memory access                           
      Susceptibility    Remote unauthenticated sessions                       
         Severity       Minor                                                 
      Exploits Known    Yes                                                   
       Reported On      March 3, 2022                                         
       Reported By      Sauw Ming                                             
        Posted On       March 4, 2022                                         
     Last Updated On    March 3, 2022                                         
     Advisory Contact   kharwell AT sangoma DOT com                           
         CVE Name       CVE-2022-21723                                        

      Description     If an incoming SIP message contains a malformed         
                      multi-part body an out of bounds read access may        
                      occur, which can result in undefined behavior. Note,    
                      it’s currently uncertain if there is any externally     
                      exploitable vector within Asterisk for this issue, but  
                      providing this as a security issue out of caution.      
    Modules Affected  bundled pjproject                                       

    Resolution  If you use “with-pjproject-bundled” then upgrade to, or       
                install one of, the versions of Asterisk listed below.        
                Otherwise install the appropriate version of pjproject that   
                contains the patch.                                           

                               Affected Versions
                Product              Release Series  
         Asterisk Open Source             16.x       All versions             
         Asterisk Open Source             18.x       All versions             
         Asterisk Open Source             19.x       All versions             
          Certified Asterisk              16.x       All versions             

                                  Corrected In
                 Product                              Release                 
           Asterisk Open Source                16.24.1,18.10.1,19.2.1         
            Certified Asterisk                      16.8-cert13               

                                    Patches                         
                              Patch URL                             Revision  
   https://downloads.digium.com/pub/security/AST-2022-006-16.diff   Asterisk  
                                                                    16        
   https://downloads.digium.com/pub/security/AST-2022-006-18.diff   Asterisk  
                                                                    18        
   https://downloads.digium.com/pub/security/AST-2022-006-19.diff   Asterisk  
                                                                    19        
   https://downloads.digium.com/pub/security/AST-2022-006-16.8.diff Certified 
                                                                    Asterisk  
                                                                    16.8      

Links https://issues.asterisk.org/jira/browse/ASTERISK-29945                     
                                                                                 
      https://downloads.asterisk.org/pub/security/AST-2022-006.html              
                                                                                 
      https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm 

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    https://downloads.digium.com/pub/security/AST-2022-006.pdf and            
    https://downloads.digium.com/pub/security/AST-2022-006.html               

                                Revision History
          Date                  Editor                 Revisions Made         
    March 3, 2022      Kevin Harwell             Initial revision             

               Asterisk Project Security Advisory - AST-2022-006
               Copyright © 2022 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.



More information about the asterisk-dev mailing list