CVE-2021-43845: Prevent out-of-bounds read in PJSIP
First published: Mon Dec 27 2021(Updated: )
PJSIP is a free and open source multimedia communication library. In version 2.11.1 and prior, if incoming RTCP XR message contain block, the data field is not checked against the received packet size, potentially resulting in an out-of-bound read access. This affects all users that use PJMEDIA and RTCP XR. A malicious actor can send a RTCP XR message with an invalid packet size.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Teluu PJSIP | <=2.11.1 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| debian/asterisk | 1:16.28.0~dfsg-0+deb10u4 1:16.28.0~dfsg-0+deb11u3 1:16.28.0~dfsg-0+deb11u4 1:20.6.0~dfsg+~cs6.13.40431414-2 | |
| debian/ring | <=20190215.1.f152c98~ds1-1+deb10u1<=20210112.2.b757bac~ds1-1 | 20190215.1.f152c98~ds1-1+deb10u2 20230206.0~ds2-1.1 20231201.0~ds1-1 |
| ubuntu/ring | <20180228.1.503 | 20180228.1.503 |
| ubuntu/ring | <20190215.1. | 20190215.1. |
| <=2.11.1 | ||
| =9.0 | ||
| =10.0 | ||
| =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/pjsip/pjproject/commit/f74c1fc22b760d2a24369aa72c74c4a9ab985859
- https://github.com/pjsip/pjproject/pull/2924
- https://github.com/pjsip/pjproject/security/advisories/GHSA-r374-qrwv-86hh
- https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
- https://security.gentoo.org/glsa/202210-37
- https://www.debian.org/security/2022/dsa-5285
- https://launchpad.net/bugs/cve/CVE-2021-43845
- https://security-tracker.debian.org/tracker/CVE-2021-43845
- https://ubuntu.com/security/notices/USN-6422-1
- https://www.cve.org/CVERecord?id=CVE-2021-43845
- https://nvd.nist.gov/vuln/detail/CVE-2021-43845
- https://ubuntu.com/security/CVE-2021-43845
Frequently Asked Questions
What is CVE-2021-43845?
CVE-2021-43845 is a vulnerability in the PJSIP multimedia communication library that allows for potential out-of-bound read access.
How does CVE-2021-43845 affect users?
CVE-2021-43845 affects all users that use PJMEDIA and have incoming RTCP XR messages with a block that is not checked against the received packet size.
What is the severity of CVE-2021-43845?
CVE-2021-43845 has a severity rating of 9.1 (critical).
How can I fix CVE-2021-43845?
To fix CVE-2021-43845, users should update to a version of PJSIP that includes the patch provided by the PJSIP project.
Where can I find more information about CVE-2021-43845?
More information about CVE-2021-43845 can be found in the references provided by the PJSIP project.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/author
- agent/description
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- collector/nvd-api
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- agent/trending
- vendor/teluu
- canonical/teluu pjsip
- version/teluu pjsip/2.11.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- package-manager/debian
- package-manager/ubuntu