{"id":21383,"date":"2022-03-07T19:49:04","date_gmt":"2022-03-07T16:49:04","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/166226\/AST-2022-005.txt"},"modified":"2022-03-08T09:07:51","modified_gmt":"2022-03-08T05:37:51","slug":"asterisk-project-security-advisory-ast-2022-005","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/asterisk-project-security-advisory-ast-2022-005\/","title":{"rendered":"Asterisk Project Security Advisory &#8211; AST-2022-005"},"content":{"rendered":"<p dir=\"ltr\">Asterisk Project Security Advisory &#8211; AST-2022-005<\/p>\n<p dir=\"ltr\">Product Asterisk<br \/>\nSummary pjproject: undefined behavior after freeing a dialog<br \/>\nset<br \/>\nNature of Advisory Denial of service<br \/>\nSusceptibility Remote unauthenticated sessions<br \/>\nSeverity Major<br \/>\nExploits Known Yes<br \/>\nReported On March 3, 2022<br \/>\nReported By Sauw Ming<br \/>\nPosted On March 4, 2022<br \/>\nLast Updated On March 3, 2022<br \/>\nAdvisory Contact kharwell AT sangoma DOT com<br \/>\nCVE Name CVE-2022-23608<\/p>\n<p dir=\"ltr\">Description When acting as a UAC, and when placing an outgoing<br \/>\ncall to a target that then forks Asterisk may<br \/>\nexperience undefined behavior (crashes, hangs, etc\u2026)<br \/>\nafter a dialog set is prematurely freed.<br \/>\nModules Affected bundled pjproject<\/p>\n<p dir=\"ltr\">Resolution If you use \u201cwith-pjproject-bundled\u201d then upgrade to, or<br \/>\ninstall one of, the versions of Asterisk listed below.<br \/>\nOtherwise install the appropriate version of pjproject that<br \/>\ncontains the patch.<\/p>\n<p dir=\"ltr\">Affected Versions<br \/>\nProduct Release Series<br \/>\nAsterisk Open Source 16.x All versions<br \/>\nAsterisk Open Source 18.x All versions<br \/>\nAsterisk Open Source 19.x All versions<br \/>\nCertified Asterisk 16.x All versions<\/p>\n<p dir=\"ltr\">Corrected In<br \/>\nProduct Release<br \/>\nAsterisk Open Source 16.24.1,18.10.1,19.2.1<br \/>\nCertified Asterisk 16.8-cert13<\/p>\n<p dir=\"ltr\">Patches<br \/>\nPatch URL Revision<br \/>\nhttps:\/\/downloads.digium.com\/pub\/security\/AST-2022-005-16.diff Asterisk<br \/>\n16<br \/>\nhttps:\/\/downloads.digium.com\/pub\/security\/AST-2022-005-18.diff Asterisk<br \/>\n18<br \/>\nhttps:\/\/downloads.digium.com\/pub\/security\/AST-2022-005-19.diff Asterisk<br \/>\n19<br \/>\nhttps:\/\/downloads.digium.com\/pub\/security\/AST-2022-005-16.8.diff Certified<br \/>\nAsterisk<br \/>\n16.8<\/p>\n<p dir=\"ltr\">Links https:\/\/issues.asterisk.org\/jira\/browse\/ASTERISK-29945<\/p>\n<p dir=\"ltr\">https:\/\/downloads.asterisk.org\/pub\/security\/AST-2022-005.html<\/p>\n<p dir=\"ltr\">https:\/\/github.com\/pjsip\/pjproject\/security\/advisories\/GHSA-ffff-m5fm-qm62<\/p>\n<p dir=\"ltr\">Asterisk Project Security Advisories are posted at<br \/>\nhttp:\/\/www.asterisk.org\/security<\/p>\n<p dir=\"ltr\">This document may be superseded by later versions; if so, the latest<br \/>\nversion will be posted at<br \/>\nhttps:\/\/downloads.digium.com\/pub\/security\/AST-2022-005.pdf and<br \/>\nhttps:\/\/downloads.digium.com\/pub\/security\/AST-2022-005.html<\/p>\n<p dir=\"ltr\">Revision History<br \/>\nDate Editor Revisions Made<br \/>\nMarch 3, 2022 Kevin Harwell Initial revision<\/p>\n<p dir=\"ltr\">Asterisk Project Security Advisory &#8211; AST-2022-005<br \/>\nCopyright \u00a9 2022 Digium, Inc. All Rights Reserved.<br \/>\nPermission is hereby granted to distribute and publish this advisory in its<br \/>\noriginal, unaltered form.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Asterisk Project Security Advisory &#8211; AST-2022-005 Product Asterisk Summary pjproject: undefined behavior after freeing a dialog set Nature of Advisory Denial of service Susceptibility Remote unauthenticated sessions Severity Major Exploits Known Yes Reported On March 3, 2022 Reported By Sauw Ming Posted On March 4, 2022 Last Updated On March 3, 2022 Advisory Contact kharwell &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21383","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21383","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21383"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21383\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}