CVE-2017-16672
First published: Thu Nov 09 2017(Updated: )
An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Eventually Asterisk can run out of memory and crash.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Digium Asterisk | >=13.0.0<13.18.1 | |
| Digium Asterisk | >=14.0.0<14.7.1 | |
| Digium Asterisk | >=15.0.0<15.1.1 | |
| Digium Certified Asterisk | =13.13.0 | |
| Digium Certified Asterisk | =13.13.0-cert1 | |
| Digium Certified Asterisk | =13.13.0-cert1_rc1 | |
| Digium Certified Asterisk | =13.13.0-cert1_rc2 | |
| Digium Certified Asterisk | =13.13.0-cert1_rc3 | |
| Digium Certified Asterisk | =13.13.0-cert1_rc4 | |
| Digium Certified Asterisk | =13.13.0-cert2 | |
| Digium Certified Asterisk | =13.13.0-cert3 | |
| Digium Certified Asterisk | =13.13.0-cert4 | |
| Digium Certified Asterisk | =13.13.0-cert5 | |
| Digium Certified Asterisk | =13.13.0-cert6 | |
| debian/asterisk | 1:16.2.1~dfsg-1+deb10u2 1:16.28.0~dfsg-0+deb10u3 1:16.28.0~dfsg-0+deb11u3 1:20.4.0~dfsg+~cs6.13.40431414-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://downloads.digium.com/pub/security/AST-2017-011.html
- http://www.securityfocus.com/bid/101765
- https://issues.asterisk.org/jira/browse/ASTERISK-27345
- https://security.gentoo.org/glsa/201811-11
- https://www.debian.org/security/2017/dsa-4076
- http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff
- https://security-tracker.debian.org/tracker/CVE-2017-16672
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2017-16672.
What is the severity of CVE-2017-16672?
The severity of CVE-2017-16672 is medium (5.9).
What is the affected software version range of CVE-2017-16672?
The affected software version range of CVE-2017-16672 is from 13.0.0 to 13.18.1 for Asterisk Open Source 13, from 14.0.0 to 14.7.1 for Asterisk Open Source 14, and from 15.0.0 to 15.1.1 for Asterisk Open Source 15.
What is the remedy for CVE-2017-16672?
The remedy for CVE-2017-16672 is to upgrade to the following versions: Asterisk Open Source 13.18.1, 14.7.1, or 15.1.1, or Certified Asterisk 13.13-cert7.
Is there any additional information available for CVE-2017-16672?
Yes, you can find additional information for CVE-2017-16672 at the following references: [AST-2017-011](http://downloads.digium.com/pub/security/AST-2017-011.html), [AST-2017-011-13.diff](http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff), [ASTERISK-27345](https://issues.asterisk.org/jira/browse/ASTERISK-27345).
- collector/nvd-index
- collector/security-tracker-debian
- agent/references
- agent/weakness
- agent/tags
- agent/event
- agent/severity
- agent/author
- agent/description
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- vendor/digium
- canonical/digium asterisk
- version/digium asterisk/13.0.0
- version/digium asterisk/14.0.0
- version/digium asterisk/15.0.0
- canonical/digium certified asterisk
- version/digium certified asterisk/13.13.0
- version/digium certified asterisk/13.13.0-cert1
- version/digium certified asterisk/13.13.0-cert1_rc1
- version/digium certified asterisk/13.13.0-cert1_rc2
- version/digium certified asterisk/13.13.0-cert1_rc3
- version/digium certified asterisk/13.13.0-cert1_rc4
- version/digium certified asterisk/13.13.0-cert2
- version/digium certified asterisk/13.13.0-cert3
- version/digium certified asterisk/13.13.0-cert4
- version/digium certified asterisk/13.13.0-cert5
- version/digium certified asterisk/13.13.0-cert6
- package-manager/debian