CVE-2018-7284

Name of the Vulnerable Software and Affected Versions Asterisk versions 13.19.1 and earlier, 14.x through 14.7.5, and 15.x through 15.2.1 Certified Asterisk versions 13.18-cert2 and earlier

Description A Buffer Overflow issue was discovered in the processing of a SUBSCRIBE request by the res pjsip pubsub module. The module stores accepted formats from the Accept headers of the request but does not limit the number of headers it processes, despite a fixed limit of 32. If more than 32 Accept headers are present, the code writes outside of its memory, causing a crash.

Recommendations For Asterisk versions 13.19.1 and earlier, update to a version later than 13.19.1 to resolve the issue. For Asterisk versions 14.x through 14.7.5, update to a version later than 14.7.5. For Asterisk versions 15.x through 15.2.1, update to a version later than 15.2.1. For Certified Asterisk versions 13.18-cert2 and earlier, update to a version later than 13.18-cert2. As a temporary workaround, consider restricting access to the res pjsip pubsub module to minimize the risk of exploitation.