CVE-2021-32686: Denial of Service in PJSIP
First published: Fri Jul 23 2021(Updated: )
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and destroy, due to the accepted socket having no group lock. Second, the SSL socket parent/listener may get destroyed during handshake. Both issues were reported to happen intermittently in heavy load TLS connections. They cause a crash, resulting in a denial of service. These are fixed in version 2.11.1.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Teluu PJSIP | <2.11.1 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =11.0 | |
| debian/asterisk | <=1:16.2.1~dfsg-1+deb10u2 | 1:16.28.0~dfsg-0+deb10u4 1:16.28.0~dfsg-0+deb11u3 1:20.5.2~dfsg+~cs6.13.40431414-1 |
| debian/ring | <=20190215.1.f152c98~ds1-1+deb10u1<=20190215.1.f152c98~ds1-1+deb10u2<=20210112.2.b757bac~ds1-1 | 20230206.0~ds2-1.1 20230922.0~ds2-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://downloads.asterisk.org/pub/security/AST-2021-009.html
- https://security-tracker.debian.org/tracker/CVE-2021-32558
- https://security-tracker.debian.org/tracker/CVE-2021-32686
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991931
- https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd
- https://github.com/pjsip/pjproject/pull/2716
- https://github.com/pjsip/pjproject/releases/tag/2.11.1
- https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr
- https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
- https://security.gentoo.org/glsa/202210-37
- https://www.debian.org/security/2021/dsa-4999
Frequently Asked Questions
What is CVE-2021-32686?
CVE-2021-32686 is a vulnerability found in the SSL socket of PJSIP before version 2.11.1.
How severe is CVE-2021-32686?
CVE-2021-32686 has a severity score of 5.9, which is considered medium.
How can I fix CVE-2021-32686?
To fix CVE-2021-32686, you should update PJSIP to version 2.11.1 or later.
Is the Debian Debian Linux 9.0 affected by CVE-2021-32686?
Yes, Debian Debian Linux 9.0 is affected by CVE-2021-32686.
Are there any references for CVE-2021-32686?
Yes, you can find more information about CVE-2021-32686 at the following references: [link 1](https://downloads.asterisk.org/pub/security/AST-2021-009.html), [link 2](https://github.com/pjsip/pjproject/security/advisories/GHSA-cv8x-p47p-99wr), [link 3](https://github.com/pjsip/pjproject/commit/d5f95aa066f878b0aef6a64e60b61e8626e664cd).
- collector/debian-bugs
- alias/CVE-2021-32686
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/softwarecombine
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/severity
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/teluu
- canonical/teluu pjsip
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/11.0
- package-manager/debian