Asterisk Project Security Advisory - AST-2021-007 Product Asterisk Summary Remote Crash Vulnerability in PJSIP channel driver Nature of Advisory Denial of Service Susceptibility Remote Authenticated Sessions Severity Moderate Exploits Known No Reported On April 6, 2021 Reported By Ivan Poddubny Posted On Last Updated On July 6, 2021 Advisory Contact Jcolp AT sangoma DOT com CVE Name CVE-2021-31878 Description When Asterisk receives a re-INVITE without SDP after having sent a BYE request a crash will occur. This occurs due to the Asterisk channel no longer being present while code assumes it is. Modules Affected res_pjsip_session.c Resolution Upgrade to one of the fixed versions of Asterisk or apply the appropriate patch. Affected Versions Product Release Series Asterisk Open Source 16.x 16.17.0, 16.18.0, 16.19.0 Asterisk Open Source 18.x 18.3.0, 18.4.0, 18.5.0 Corrected In Product Release Asterisk Open Source 16.19.1, 18.5.1 Patches Patch URL Revision https://downloads.digium.com/pub/security/AST-2021-007-16.diff Asterisk 16 https://downloads.digium.com/pub/security/AST-2021-007-18.diff Asterisk 18 Links https://issues.asterisk.org/jira/browse/ASTERISK-29381 https://downloads.asterisk.org/pub/security/AST-2021-007.html Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at https://downloads.digium.com/pub/security/AST-2021-007.pdf and https://downloads.digium.com/pub/security/AST-2021-007.html Revision History Date Editor Revisions Made April 28, 2021 Joshua Colp Initial revision Asterisk Project Security Advisory - AST-2021-007 Copyright © 2021 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.