CVE-2022-26498
First published: Fri Apr 15 2022(Updated: )
An issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it is possible to download files that are not certificates. These files could be much larger than what one would expect to download, leading to Resource Exhaustion. This is fixed in 16.25.2, 18.11.2, and 19.3.2.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Digium Asterisk | >=16.15.0<=16.25.1 | |
| Digium Asterisk | >=18.0<18.11.2 | |
| Digium Asterisk | >=19.0.0<=19.3.1 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| debian/asterisk | <=1:16.2.1~dfsg-1+deb10u2 | 1:16.28.0~dfsg-0+deb10u4 1:16.28.0~dfsg-0+deb11u3 1:20.5.2~dfsg+~cs6.13.40431414-1 |
Remedy
http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/166744/Asterisk-Project-Security-Advisory-AST-2022-001.html
- http://packetstormsecurity.com/files/172139/Shannon-Baseband-chatroom-SDP-Attribute-Memory-Corruption.html
- https://downloads.asterisk.org/pub/security/
- https://downloads.asterisk.org/pub/security/AST-2022-001.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html
- https://www.debian.org/security/2022/dsa-5285
- https://issues.asterisk.org/jira/browse/ASTERISK-29872
- https://security-tracker.debian.org/tracker/CVE-2022-26498
Frequently Asked Questions
What is CVE-2022-26498?
CVE-2022-26498 is a vulnerability discovered in Asterisk through version 19.x that allows the download of files that are not certificates, leading to resource exhaustion.
How does CVE-2022-26498 affect Asterisk?
CVE-2022-26498 affects Asterisk through version 19.x when using STIR/SHAKEN.
What is the severity of CVE-2022-26498?
The severity of CVE-2022-26498 is not specified in the provided information.
How can I fix CVE-2022-26498?
You can fix CVE-2022-26498 by updating to Asterisk version 16.25.2, 18.11.2, or 19.3.2.
Where can I find more information about CVE-2022-26498?
You can find more information about CVE-2022-26498 on the Asterisk and Debian security trackers.
- collector/nvd-index
- collector/security-tracker-debian
- agent/author
- agent/weakness
- agent/references
- agent/severity
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/digium
- canonical/digium asterisk
- version/digium asterisk/16.15.0
- version/digium asterisk/16.25.1
- version/digium asterisk/18.0
- version/digium asterisk/19.0.0
- version/digium asterisk/19.3.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- package-manager/debian