Asterisk update for PJSIP vulnerabilities in < 2.12?

Checking here on whether Asterisk will have an update soon with a patched bundled PjProject? PJSIP has vulnerabilities as of March 1st: https://jfrog.com/blog/jfrog-discloses-5-memory-corruption-vulnerabilities-in-pjsip-a-popular-multimedia-library/

From the post:

Any projects that use the PJSIP library before version 2.12 and pass attacker-controlled arguments to any of the following APIs are vulnerable:

pjsua_player_create – filename argument must be attacker-controlled
pjsua_recorder_create – filename argument must be attacker-controlled
pjsua_playlist_create – file_names argument must be (partially) attacker-controlled
pjsua_call_dump – buffer argument capacity must be smaller than 128 bytes

The disclosed PJSIP security vulnerabilities
CVE ID Description Impact JFrog CVSS
CVE-2021-43299 Stack overflow in PJSUA API when calling pjsua_player_create Code Execution 8.1
CVE-2021-43300 Stack overflow in PJSUA API when calling pjsua_recorder_create Code Execution 8.1
CVE-2021-43301 Stack overflow in PJSUA API when calling pjsua_playlist_create Code Execution 8.1
CVE-2021-43302 Read out-of-bounds in PJSUA API when calling pjsua_recorder_create Denial of Service 5.9
CVE-2021-43303 Buffer overflow in PJSUA API when calling pjsua_call_dump Denial of Service 5.9

Since I use chan_sip still, I have tried removing the asterisk-pjsip package, and doing a “noload” of “res_pjproject.so” but it seems res_rtp is dependent on it (Asterisk 16). So it seems I have to either rebuild asterisk from scratch with updated pjsip/pjproject libraries, or wait for Asterisk to do an official security release for this.

The given CVEs are not applicable to Asterisk, we don’t use pjsua. There are other security issues besides those which we are working through presently.

Unless you’re using ICE with your chan_sip, then none of them would affect you. Even if you were using ICE then someone would need to establish a call with you using ICE and be a malicious actor.

look like it is being worked on :slight_smile:

Qualify pjproject 2.12 for Asterisk

Good info - thanks for the replies!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.