Coreyfarrell

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions prior to 13.18.1 Asterisk Open Source versions prior to 14.7.1 Asterisk Open Source versions prior to 15.1.1 Certified Asterisk versions prior to 13.13-cert7 **Description** A memory leak occurs when an Asterisk pjsip session object is created and the call gets rejected before the session is fully established, causing the session object to never be destroyed. This can lead to Asterisk running out of memory and crashing. **Recommendations** For Asterisk Open Source versions prior to 13.18.1, update to version 13.18.1 or later. For Asterisk Open Source versions prior to 14.7.1, update to version 14.7.1 or later. For Asterisk Open Source versions prior to 15.1.1, update to version 15.1.1 or later. For Certified Asterisk versions prior to 13.13-cert7, update to version 13.13-cert7 or later.

**Name of the Vulnerable Software and Affected Versions** Asterisk versions 11.x through 11.25.1 Asterisk versions 13.x through 13.17.0 Asterisk versions 14.x through 14.6.0 Certified Asterisk versions 11.x through 11.6-cert16 Certified Asterisk versions 13.x through 13.13-cert4 **Description** The issue is related to the app minivm module in Asterisk and Certified Asterisk, where the "externnotify" program configuration option is executed by the MinivmNotify dialplan application. This application uses the `caller-id name` and `caller-id number` as part of a built string passed to the OS shell for interpretation and execution. Since the `caller-id name` and `caller-id number` can come from an untrusted source, a crafted `caller-id name` or `caller-id number` allows an arbitrary shell command injection. This can be exploited by a remote attacker to execute arbitrary commands. **Recommendations** For Asterisk versions 11.x through 11.25.1, update to version 11.25.2 or later. For Asterisk versions 13.x through 13.17.0, update to version 13.17.1 or later. For Asterisk versions 14.x through 14.6.0, update to version 14.6.1 or later. For Certified Asterisk versions 11.x through 11.6-cert16, update to version 11.6-cert17 or later. For Certified Asterisk versions 13.x through 13.13-cert4, update to version 13.13-cert5 or later.

**Name of the Vulnerable Software and Affected Versions** Asterisk Open Source versions 1.8.x through 1.8.25, 11.8.x through 11.8.0, and 12.1.x through 12.1.0 Asterisk Open Source version 1.8.26.0 Certified Asterisk versions 1.8.15 through 1.8.15-cert4 Certified Asterisk versions 11.6 through 11.6-cert1 **Description** The issue allows remote authenticated users to cause a denial of service via an INVITE request with a `Session-Expires` or `Min-SE` header containing a malformed or invalid value. This can lead to channel and file descriptor consumption. **Recommendations** For Asterisk Open Source versions 1.8.x through 1.8.25, update to version 1.8.26.1 or later. For Asterisk Open Source versions 11.8.x through 11.8.0, update to version 11.8.1 or later. For Asterisk Open Source versions 12.1.x through 12.1.0, update to version 12.1.1 or later. For Certified Asterisk versions 1.8.15 through 1.8.15-cert4, update to version 1.8.15-cert5 or later. For Certified Asterisk versions 11.6 through 11.6-cert1, update to version 11.6-cert2 or later.