Asterisk Security Team
2022-Mar-04 20:16 UTC
[asterisk-users] AST-2022-006: pjproject: unconstrained malformed multipart SIP message
Asterisk Project Security Advisory - AST-2022-006 Product Asterisk Summary pjproject: unconstrained malformed multipart SIP message Nature of Advisory Out of bounds memory access Susceptibility Remote unauthenticated sessions Severity Minor Exploits Known Yes Reported On March 3, 2022 Reported By Sauw Ming Posted On March 4, 2022 Last Updated On March 3, 2022 Advisory Contact kharwell AT sangoma DOT com CVE Name CVE-2022-21723 Description If an incoming SIP message contains a malformed multi-part body an out of bounds read access may occur, which can result in undefined behavior. Note, it’s currently uncertain if there is any externally exploitable vector within Asterisk for this issue, but providing this as a security issue out of caution. Modules Affected bundled pjproject Resolution If you use “with-pjproject-bundled” then upgrade to, or install one of, the versions of Asterisk listed below. Otherwise install the appropriate version of pjproject that contains the patch. Affected Versions Product Release Series Asterisk Open Source 16.x All versions Asterisk Open Source 18.x All versions Asterisk Open Source 19.x All versions Certified Asterisk 16.x All versions Corrected In Product Release Asterisk Open Source 16.24.1,18.10.1,19.2.1 Certified Asterisk 16.8-cert13 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2022-006-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2022-006-18.diff Asterisk 18 https://downloads.digium.com/pub/security/AST-2022-006-19.diff Asterisk 19 https://downloads.digium.com/pub/security/AST-2022-006-16.8.diff Certified Asterisk 16.8 Links https://issues.asterisk.org/jira/browse/ASTERISK-29945 https://downloads.asterisk.org/pub/security/AST-2022-006.html https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2022-006.pdf and https://downloads.digium.com/pub/security/AST-2022-006.html Revision History Date Editor Revisions Made March 3, 2022 Kevin Harwell Initial revision Asterisk Project Security Advisory - AST-2022-006 Copyright © 2022 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.