Asterisk Project Security Advisory - AST-2021-007

          Product        Asterisk                                             
          Summary        Remote Crash Vulnerability in PJSIP channel driver   
    Nature of Advisory   Denial of Service                                    
      Susceptibility     Remote Authenticated Sessions                        
         Severity        Moderate                                             
      Exploits Known     No                                                   
        Reported On      April 6, 2021                                        
        Reported By      Ivan Poddubny                                        
         Posted On       
      Last Updated On    July 6, 2021                                         
     Advisory Contact    Jcolp AT sangoma DOT com                             
         CVE Name        CVE-2021-31878                                       

      Description     When Asterisk receives a re-INVITE without SDP after    
                      having sent a BYE request a crash will occur. This      
                      occurs due to the Asterisk channel no longer being      
                      present while code assumes it is.                       
    Modules Affected  res_pjsip_session.c                                     

    Resolution  Upgrade to one of the fixed versions of Asterisk or apply     
                the appropriate patch.                                        

                               Affected Versions
             Product           Release Series  
      Asterisk Open Source          16.x       16.17.0, 16.18.0, 16.19.0      
      Asterisk Open Source          18.x       18.3.0, 18.4.0, 18.5.0         

                                  Corrected In
                   Product                              Release               
             Asterisk Open Source                   16.19.1, 18.5.1           

                                    Patches                         
                              Patch URL                             Revision  
    https://downloads.digium.com/pub/security/AST-2021-007-16.diff  Asterisk  
                                                                    16        
    https://downloads.digium.com/pub/security/AST-2021-007-18.diff  Asterisk  
                                                                    18        

     Links   https://issues.asterisk.org/jira/browse/ASTERISK-29381           
                                                                              
             https://downloads.asterisk.org/pub/security/AST-2021-007.html    

    Asterisk Project Security Advisories are posted at                        
    http://www.asterisk.org/security                                          
                                                                              
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                                 
    https://downloads.digium.com/pub/security/AST-2021-007.pdf and            
    https://downloads.digium.com/pub/security/AST-2021-007.html               

                                Revision History
          Date                 Editor                  Revisions Made         
    April 28, 2021     Joshua Colp              Initial revision              

               Asterisk Project Security Advisory - AST-2021-007
               Copyright © 2021 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.