JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP

wifx · March 2, 2022, 6:34pm

CVE-2021-43299 (CVSS score: 8.1) – Stack overflow in PJSUA API when calling pjsua_player_create()
CVE-2021-43300 (CVSS score: 8.1) – Stack overflow in PJSUA API when calling pjsua_recorder_create()
CVE-2021-43301 (CVSS score: 8.1) – Stack overflow in PJSUA API when calling pjsua_playlist_create()
CVE-2021-43302 (CVSS score: 5.9) – Read out-of-bounds in PJSUA API when calling pjsua_recorder_create()
CVE-2021-43303 (CVSS score: 5.9) – Buffer overflow in PJSUA API when calling pjsua_call_dump()

Is if fixed for FreePBX 15 ?
If not any ETA ?

jfinstrom · March 2, 2022, 6:42pm

There was discussion on this in an industry chat I am in and the broad overview is Asterisk may not be affected. That said it was admitted by participants of the conversation that all aspects haven’t been reviewed.

I would think maybe @jcolp may know if this affects the Asterisk implementation of PJSIP as much as or more than anyone

jcolp · March 2, 2022, 6:43pm

Asterisk does not use pjsua, they are not applicable to Asterisk.

system · March 9, 2022, 6:44pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.