CVE-2022-21722: Potential out-of-bound read during RTP/RTCP parsing in PJSIP
First published: Thu Jan 27 2022(Updated: )
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In version 2.11.1 and prior, there are various cases where it is possible that certain incoming RTP/RTCP packets can potentially cause out-of-bound read access. This issue affects all users that use PJMEDIA and accept incoming RTP/RTCP. A patch is available as a commit in the `master` branch. There are no known workarounds.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Teluu PJSIP | <=2.11.1 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| ubuntu/ring | <20190215.1. | 20190215.1. |
| debian/asterisk | 1:16.28.0~dfsg-0+deb10u4 1:16.28.0~dfsg-0+deb11u3 1:16.28.0~dfsg-0+deb11u4 1:20.6.0~dfsg+~cs6.13.40431414-2 | |
| debian/ring | <=20190215.1.f152c98~ds1-1+deb10u1<=20210112.2.b757bac~ds1-1 | 20190215.1.f152c98~ds1-1+deb10u2 20230206.0~ds2-1.1 20231201.0~ds1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/pjsip/pjproject/commit/22af44e68a0c7d190ac1e25075e1382f77e9397a
- https://github.com/pjsip/pjproject/security/advisories/GHSA-m66q-q64c-hv36
- https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
- https://security.gentoo.org/glsa/202210-37
- https://www.debian.org/security/2022/dsa-5285
- https://launchpad.net/bugs/cve/CVE-2022-21722
- https://security-tracker.debian.org/tracker/CVE-2022-21722
- https://ubuntu.com/security/notices/USN-6422-1
- https://www.cve.org/CVERecord?id=CVE-2022-21722
- https://nvd.nist.gov/vuln/detail/CVE-2022-21722
- https://ubuntu.com/security/CVE-2022-21722
Frequently Asked Questions
What is CVE-2022-21722?
CVE-2022-21722 is a vulnerability in the PJSIP multimedia communication library that can allow certain incoming RTP/RTCP packets to cause issues.
What software versions are affected by CVE-2022-21722?
Versions up to and including 2.11.1 of Teluu Pjsip, Debian Linux 9.0 and 10.0, and certain versions of Ubuntu Ring and Debian Asterisk and Ring are affected.
How severe is CVE-2022-21722?
CVE-2022-21722 has a severity score of 9.1 (critical).
What is the fix for CVE-2022-21722?
To fix CVE-2022-21722, you should update to a patched version of the PJSIP library or apply the necessary security patches provided by your software vendor.
Where can I find more information about CVE-2022-21722?
You can find more information about CVE-2022-21722 on the following references: [link1], [link2], [link3].
- collector/nvd-api
- collector/nvd-index
- collector/launchpad-cve
- source/Launchpad
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/weakness
- agent/author
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/title
- agent/event
- agent/tags
- agent/trending
- vendor/teluu
- canonical/teluu pjsip
- version/teluu pjsip/2.11.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- package-manager/debian
- package-manager/ubuntu