PT-2014-4605 · Digium · Certified Asterisk+1
Lucas Molas
·
Published
2014-04-15
·
Updated
2014-04-21
·
CVE-2014-2286
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Asterisk Open Source versions 1.8.x through 1.8.25, 11.8.x through 11.8.0, and 12.1.x through 12.1.0
Asterisk Open Source version 1.8.26.1 is not affected, but versions prior to it are
Certified Asterisk versions 1.8.x through 1.8.15-cert4 and 11.6 through 11.6-cert1
Description
The issue allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP request with a large number of Cookie headers.
Recommendations
For Asterisk Open Source versions 1.8.x through 1.8.25, update to version 1.8.26.1 or later.
For Asterisk Open Source versions 11.8.x through 11.8.0, update to version 11.8.1 or later.
For Asterisk Open Source versions 12.1.x through 12.1.0, update to version 12.1.1 or later.
For Certified Asterisk versions 1.8.x through 1.8.15-cert4, update to version 1.8.15-cert5 or later.
For Certified Asterisk versions 11.6 through 11.6-cert1, update to version 11.6-cert2 or later.
Fix
DoS
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Asterisk Open Source
Certified Asterisk