CVE-2012-3863

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 1.8.x through 1.8.13.0 Asterisk Open Source version 10.x through 10.5.1 Asterisk Business Edition C.3.x through C.3.7.4 Certified Asterisk versions 1.8.11-certx through 1.8.11-cert3 Asterisk Digiumphones versions 10.x.x-digiumphones through 10.5.2-digiumphones

Description The issue arises from improper handling of a provisional response to a SIP reINVITE request, allowing remote authenticated users to cause a denial of service, specifically RTP port exhaustion, via sessions lacking final responses.

Recommendations For Asterisk Open Source versions 1.8.x through 1.8.13.0, update to version 1.8.13.1 or later. For Asterisk Open Source version 10.x through 10.5.1, update to version 10.5.2 or later. For Asterisk Business Edition C.3.x through C.3.7.4, update to version C.3.7.5 or later. For Certified Asterisk versions 1.8.11-certx through 1.8.11-cert3, update to version 1.8.11-cert4 or later. For Asterisk Digiumphones versions 10.x.x-digiumphones through 10.5.2-digiumphones, update to a version later than 10.5.2-digiumphones.