CVE-2021-46837

Summary

CVE	CVE-2021-46837
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-08-30 07:15:00 UTC
Updated	2023-01-28 01:20:00 UTC
Description	res_pjsip_t38 in Sangoma Asterisk 16.x before 16.16.2, 17.x before 17.9.3, and 18.x before 18.2.2, and Certified Asterisk before 16.8-cert7, allows an attacker to trigger a crash by sending an m=image line and zero port in a response to a T.38 re-invite initiated by Asterisk. This is a re-occurrence of the CVE-2019-15297 symptoms but not for exactly the same reason. The crash occurs because there is an append operation relative to the active topology, but this should instead be a replace operation.

Risk And Classification

Problem Types: CWE-476

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Asterisk	Certified Asterisk	16.8.0	-	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert1	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert2	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert3	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert4	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert5	All	All
Application	Asterisk	Certified Asterisk	16.8.0	cert6	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Digium	Asterisk	All	All	All	All

References

Reference	Source	Link	Tags
Debian -- Security Information -- DSA-5285-1 asterisk	DEBIAN	www.debian.org
[SECURITY] [DLA 3194-1] asterisk security update	MLIST	lists.debian.org
AST-2021-006	MISC	downloads.asterisk.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

181225 Debian Security Update for asterisk (DLA 3194-1)
181237 Debian Security Update for asterisk (DSA 5285-1)