lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 21 Feb 2018 15:57:22 -0600
From: "Asterisk Security Team" <>
Subject: [FD] AST-2018-006: WebSocket frames with 0 sized payload causes DoS

               Asterisk Project Security Advisory - AST-2018-006

         Product        Asterisk                                              
         Summary        WebSocket frames with 0 sized payload causes DoS      
    Nature of Advisory  Denial of Service                                     
      Susceptibility    Remote Unauthenticated Sessions                       
         Severity       Moderate                                              
      Exploits Known    No                                                    
       Reported On      February 05, 2018                                     
       Reported By      Sean Bright                                           
        Posted On       February 21, 2018                                     
     Last Updated On    February 21, 2018                                     
     Advisory Contact   bford AT digium DOT com                               
         CVE Name       CVE-2018-7287                                         

    Description  When reading a websocket, the length was not being checked.  
                 If a payload of length 0 was read, it would result in a      
                 busy loop that waited for the underlying connection to       

    Resolution  A patch to asterisk is available that checks for payloads of  
                size 0 before attempting to read them. By default, Asterisk   
                does not enable the HTTP server, which means it is not        
                vulnerable to this problem. If the HTTP server is enabled,    
                you can disable it if you do not need it. Otherwise, the      
                patch provided with this security vulnerability can be        
                applied. Either of these approaches will resolve the          

                               Affected Versions       
                         Product                       Release  
                  Asterisk Open Source                  15.x    All versions  

                                  Corrected In         
                         Product                              Release         
                  Asterisk Open Source                        15.2.2          

                                SVN URL                              Revision   Asterisk 


    Asterisk Project Security Advisories are posted at                                                             
    This document may be superseded by later versions; if so, the latest      
    version will be posted at                                             and                        

                                Revision History  
                        Date                       Editor    Revisions Made   
    February 15, 2018                             Ben Ford  Initial Revision  
    February 21, 2018                             Ben Ford  Added CVE Name    

               Asterisk Project Security Advisory - AST-2018-006
               Copyright �� 2018 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ