CVE-2022-42705

Name of the Vulnerable Software and Affected Versions Sangoma Asterisk versions 16.28 through 19.6 Sangoma Asterisk version certified/18.9-cert2

Description A use-after-free issue in the res pjsip pubsub.c module may allow a remote authenticated attacker to crash Asterisk, resulting in a denial of service. This can occur when the attacker performs activity on a subscription via a reliable transport at the same time that Asterisk is also performing activity on that subscription.

Recommendations For Sangoma Asterisk versions 16.28 through 19.6, update to a version that includes a fix for the use-after-free issue in the res pjsip pubsub.c module. For Sangoma Asterisk version certified/18.9-cert2, update to a version that includes a fix for the use-after-free issue in the res pjsip pubsub.c module. As a temporary workaround, consider restricting access to the res pjsip pubsub.c module to minimize the risk of exploitation.