First published: Thu Feb 22 2018(Updated: )
An issue was discovered in res_http_websocket.c in Asterisk 15.x through 15.2.1. If the HTTP server is enabled (default is disabled), WebSocket payloads of size 0 are mishandled (with a busy loop).
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/asterisk | 1:16.2.1~dfsg-1+deb10u2 1:16.28.0~dfsg-0+deb10u3 1:16.28.0~dfsg-0+deb11u3 1:20.4.0~dfsg+~cs6.13.40431414-2 | |
Digium Asterisk | =15.0.0-beta1 | |
Digium Asterisk | =15.0.0-rc1 | |
Digium Asterisk | =15.1.0 | |
Digium Asterisk | =15.1.0-rc1 | |
Digium Asterisk | =15.1.0-rc2 | |
Digium Asterisk | =15.1.1 | |
Digium Asterisk | =15.1.2 | |
Digium Asterisk | =15.1.3 | |
Digium Asterisk | =15.1.4 | |
Digium Asterisk | =15.1.5 | |
Digium Asterisk | =15.2.0 | |
Digium Asterisk | =15.2.0-rc1 | |
Digium Asterisk | =15.2.0-rc2 | |
Digium Asterisk | =15.2.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-7287 is a vulnerability in Asterisk 15.x through 15.2.1 that allows for mishandling of WebSocket payloads of size 0.
CVE-2018-7287 has a severity rating of 5.9, which is considered medium.
Asterisk versions 15.x through 15.2.1 are affected by CVE-2018-7287.
To fix CVE-2018-7287, upgrade to Asterisk version 1:16.2.1 or later.
You can find more information about CVE-2018-7287 at the following references: [AST-2018-006](http://downloads.digium.com/pub/security/AST-2018-006.html), [SecurityFocus BID 103120](http://www.securityfocus.com/bid/103120), [SecurityTracker ID 1040419](http://www.securitytracker.com/id/1040419).