CVE-2017-16672
published 2017-11-09CVE-2017-16672: An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A…
PriorityP430medium5.9CVSS 3.0
AVNACHPRNUINSUCNINAH
EPSS
4.68%
90.6th percentile
An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Eventually Asterisk can run out of memory and crash.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | asterisk | < asterisk 1:13.18.1~dfsg-1 (bullseye) | asterisk 1:13.18.1~dfsg-1 (bullseye) |
| digium | asterisk | >= 0 < 1:13.18.1~dfsg-1 | 1:13.18.1~dfsg-1 |
| digium | asterisk | >= 13.0.0 < 13.18.1 | 13.18.1 |
| digium | asterisk | >= 14.0.0 < 14.7.1 | 14.7.1 |
| digium | asterisk | >= 15.0.0 < 15.1.1 | 15.1.1 |
| digium | certified_asterisk | — | — |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv5.9MEDIUM
vendor_debian5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6j42-f94q-5pq7: An issue was discovered in Asterisk Open Source 13 before 13
ghsa_unreviewed·2022-05-13
CVE-2017-16672 [MEDIUM] CWE-772 GHSA-6j42-f94q-5pq7: An issue was discovered in Asterisk Open Source 13 before 13
An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Eventually Asterisk can run out of memory and crash.
OSV
CVE-2017-16672: An issue was discovered in Asterisk Open Source 13 before 13
osv·2017-11-09·CVSS 5.9
CVE-2017-16672 [MEDIUM] CVE-2017-16672: An issue was discovered in Asterisk Open Source 13 before 13
An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Eventually Asterisk can run out of memory and crash.
Debian
CVE-2017-16672: asterisk - An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14....
vendor_debian·2017·CVSS 5.9
CVE-2017-16672 [MEDIUM] CVE-2017-16672: asterisk - An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14....
An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. A memory leak occurs when an Asterisk pjsip session object is created and that call gets rejected before the session itself is fully established. When this happens the session object never gets destroyed. Eventually Asterisk can run out of memory and crash.
Scope: local
bullseye: resolved (fixed in 1:13.18.1~dfsg-1)
sid: resolved (fixed in 1:13.18.1~dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-16671 CVE-2017-16672 asterisk: Multiple vulnerabilities
bugzilla·2017-11-09·CVSS 8.8
CVE-2017-16671 [HIGH] CVE-2017-16671 CVE-2017-16672 asterisk: Multiple vulnerabilities
CVE-2017-16671 CVE-2017-16672 asterisk: Multiple vulnerabilities
Asterisk Project Security Advisory - AST-2017-009
Buffer overflow in pjproject header parsing can cause crash in Asterisk
By carefully crafting invalid values in the Cseq and the Via header port, pjproject’s packet parsing code can create strings larger than the buffer allocated to hold them. This will usually cause Asterisk to crash immediately. The packets do not have to be authenticated.
http://downloads.asterisk.org/pub/security/AST-2017-009.html
Asterisk Project Security Advisory - AST-2017-010 - CVE-2017-16671
Buffer overflow in CDR's set user
No size checking is done when setting the user field for Party B on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of th
Bugzilla
CVE-2017-16671 CVE-2017-16672 asterisk: Multiple vulnerabilities [fedora-all]
bugzilla·2017-11-09·CVSS 8.8
CVE-2017-16671 [HIGH] CVE-2017-16671 CVE-2017-16672 asterisk: Multiple vulnerabilities [fedora-all]
CVE-2017-16671 CVE-2017-16672 asterisk: Multiple vulnerabilities [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions
Bugzilla
CVE-2017-16671 CVE-2017-16672 asterisk: Multiple vulnerabilities [epel-6]
bugzilla·2017-11-09·CVSS 8.8
CVE-2017-16671 [HIGH] CVE-2017-16671 CVE-2017-16672 asterisk: Multiple vulnerabilities [epel-6]
CVE-2017-16671 CVE-2017-16672 asterisk: Multiple vulnerabilities [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg u
http://downloads.digium.com/pub/security/AST-2017-011.htmlhttp://www.securityfocus.com/bid/101765https://issues.asterisk.org/jira/browse/ASTERISK-27345https://security.gentoo.org/glsa/201811-11https://www.debian.org/security/2017/dsa-4076http://downloads.digium.com/pub/security/AST-2017-011.htmlhttp://www.securityfocus.com/bid/101765https://issues.asterisk.org/jira/browse/ASTERISK-27345https://security.gentoo.org/glsa/201811-11https://www.debian.org/security/2017/dsa-4076
2017-11-09
Published