PT-2014-8970 · Digium · Asterisk

Published

2014-12-12

Updated

2018-10-09

CVE-2014-9374

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions Asterisk Open Source versions 11.x through 11.14.1 Asterisk Open Source versions 12.x through 12.7.1 Asterisk Open Source versions 13.x through 13.0.1 Certified Asterisk versions 11.6 through 11.6-cert8

Description A double free vulnerability exists in the WebSocket Server (res http websocket module) that allows remote attackers to cause a denial of service (crash) by sending a zero length frame after a non-zero length frame.

Recommendations For Asterisk Open Source versions 11.x through 11.14.1, update to version 11.14.2 or later. For Asterisk Open Source versions 12.x through 12.7.1, update to version 12.7.2 or later. For Asterisk Open Source versions 13.x through 13.0.1, update to version 13.0.2 or later. For Certified Asterisk versions 11.6 through 11.6-cert8, update to version 11.6-cert9 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2014-9374

MGASA-2015-0010

Affected Products

Asterisk

PT-2014-8970 · Digium · Asterisk

CVE-2014-9374

Related Identifiers

Affected Products

References · 20