CVE-2022-23608: Use after free in PJSIP
First published: Tue Feb 22 2022(Updated: )
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Teluu PJSIP | <=2.11.1 | |
| Asterisk Certified Asterisk | <16.8.0 | |
| Asterisk Certified Asterisk | =16.8.0-cert1 | |
| Asterisk Certified Asterisk | =16.8.0-cert10 | |
| Asterisk Certified Asterisk | =16.8.0-cert11 | |
| Asterisk Certified Asterisk | =16.8.0-cert12 | |
| Asterisk Certified Asterisk | =16.8.0-cert2 | |
| Asterisk Certified Asterisk | =16.8.0-cert3 | |
| Asterisk Certified Asterisk | =16.8.0-cert4 | |
| Asterisk Certified Asterisk | =16.8.0-cert5 | |
| Asterisk Certified Asterisk | =16.8.0-cert6 | |
| Asterisk Certified Asterisk | =16.8.0-cert7 | |
| Asterisk Certified Asterisk | =16.8.0-cert8 | |
| Asterisk Certified Asterisk | =16.8.0-cert9 | |
| Sangoma Asterisk | >=16.0.0<16.24.1 | |
| Sangoma Asterisk | >=18.0.0<18.10.1 | |
| Sangoma Asterisk | >=19.0.0<19.2.1 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| ubuntu/ring | <20180228.1.503 | 20180228.1.503 |
| ubuntu/ring | <20190215.1. | 20190215.1. |
| debian/asterisk | 1:16.28.0~dfsg-0+deb10u4 1:16.28.0~dfsg-0+deb11u3 1:16.28.0~dfsg-0+deb11u4 1:20.6.0~dfsg+~cs6.13.40431414-2 | |
| debian/ring | <=20190215.1.f152c98~ds1-1+deb10u1<=20210112.2.b757bac~ds1-1 | 20190215.1.f152c98~ds1-1+deb10u2 20230206.0~ds2-1.1 20231201.0~ds1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/166226/Asterisk-Project-Security-Advisory-AST-2022-005.html
- http://seclists.org/fulldisclosure/2022/Mar/1
- https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f
- https://github.com/pjsip/pjproject/security/advisories/GHSA-ffff-m5fm-qm62
- https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html
- https://lists.debian.org/debian-lts-announce/2022/03/msg00040.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html
- https://security.gentoo.org/glsa/202210-37
- https://www.debian.org/security/2022/dsa-5285
- https://launchpad.net/bugs/cve/CVE-2022-23608
- https://issues.asterisk.org/jira/browse/ASTERISK-29945
- https://downloads.asterisk.org/pub/security/AST-2022-005.html
- https://security-tracker.debian.org/tracker/CVE-2022-23608
- https://ubuntu.com/security/notices/USN-6422-1
- https://www.cve.org/CVERecord?id=CVE-2022-23608
- https://nvd.nist.gov/vuln/detail/CVE-2022-23608
- https://ubuntu.com/security/CVE-2022-23608
Frequently Asked Questions
What is CVE-2022-23608?
CVE-2022-23608 is a vulnerability in the PJSIP multimedia communication library that allows an attacker to gain unauthorized access and potentially execute arbitrary code on affected systems.
Which software versions are affected by CVE-2022-23608?
Versions up to and including 2.11.1 of Teluu Pjsip, Asterisk Certified Asterisk 16.8.0, Sangoma Asterisk 16.0.0 to 16.24.1, Sangoma Asterisk 18.0.0 to 18.10.1, Sangoma Asterisk 19.0.0 to 19.2.1, and Debian Debian Linux 9.0 and 10.0 are affected by CVE-2022-23608.
What is the severity of CVE-2022-23608?
CVE-2022-23608 has a severity rating of 9.8 (Critical).
How does CVE-2022-23608 work?
CVE-2022-23608 allows an attacker to exploit a shared hash key used by multiple UAC dialogs in a dialog set or forking scenario, leading to unauthorized access and potential execution of arbitrary code.
How can I fix CVE-2022-23608?
To fix CVE-2022-23608, update to a fixed version of the affected software as recommended by the vendor or project maintainers.
- collector/nvd-api
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/author
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/severity
- agent/tags
- agent/event
- vendor/teluu
- canonical/teluu pjsip
- version/teluu pjsip/2.11.1
- vendor/asterisk
- canonical/asterisk certified asterisk
- version/asterisk certified asterisk/16.8.0-cert1
- version/asterisk certified asterisk/16.8.0-cert10
- version/asterisk certified asterisk/16.8.0-cert11
- version/asterisk certified asterisk/16.8.0-cert12
- version/asterisk certified asterisk/16.8.0-cert2
- version/asterisk certified asterisk/16.8.0-cert3
- version/asterisk certified asterisk/16.8.0-cert4
- version/asterisk certified asterisk/16.8.0-cert5
- version/asterisk certified asterisk/16.8.0-cert6
- version/asterisk certified asterisk/16.8.0-cert7
- version/asterisk certified asterisk/16.8.0-cert8
- version/asterisk certified asterisk/16.8.0-cert9
- vendor/sangoma
- canonical/sangoma asterisk
- version/sangoma asterisk/16.0.0
- version/sangoma asterisk/18.0.0
- version/sangoma asterisk/19.0.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- package-manager/debian
- package-manager/ubuntu