Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30797
HistoryJun 13, 2014 - 12:00 a.m.

AST-2014-007: Exhaustion of Allowed Concurrent HTTP Connections

2014-06-1300:00:00
vulners.com
10
JSON
           Asterisk Project Security Advisory - AST-2014-007

      Product         Asterisk                                            
      Summary         Exhaustion of Allowed Concurrent HTTP Connections   
 Nature of Advisory   Denial Of Service                                   
   Susceptibility     Remote Unauthenticated Sessions                     
      Severity        Moderate                                            
   Exploits Known     No                                                  
    Reported On       May 25, 2014                                        
    Reported By       Richard Mudgett                                     
     Posted On        May 9, 2014                                         
  Last Updated On     June 12, 2014                                       
  Advisory Contact    Richard Mudgett <rmudgett AT digium DOT com>        
      CVE Name        CVE-2014-4047                                       

Description  Establishing a TCP or TLS connection to the configured HTTP  
             or HTTPS port respectively in http.conf and then not         
             sending or completing a HTTP request will tie up a HTTP      
             session. By doing this repeatedly until the maximum number   
             of open HTTP sessions is reached, legitimate requests are    
             blocked.                                                     

Resolution  The patched versions now have a session_inactivity timeout    
            option in http.conf that defaults to 30000 ms. Users should   
            upgrade to a corrected version, apply the released patches,   
            or disable HTTP support.                                      

                           Affected Versions
            Product              Release Series  
     Asterisk Open Source            1.8.x       All versions             
     Asterisk Open Source             11.x       All versions             
     Asterisk Open Source             12.x       All versions             
      Certified Asterisk             1.8.15      All versions             
      Certified Asterisk              11.6       All versions             

                              Corrected In
             Product                              Release                 
      Asterisk Open Source               1.8.28.1, 11.10.1, 12.3.1        
       Certified Asterisk                1.8.15-cert6, 11.6-cert3         

                                  Patches                          
                             SVN URL                               Revision

http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.diff Asterisk
1.8
http://downloads.asterisk.org/pub/security/AST-2014-007-11.diff Asterisk
11
http://downloads.asterisk.org/pub/security/AST-2014-007-12.diff Asterisk
12
http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.15.diff Certified
Asterisk
1.8.15
http://downloads.asterisk.org/pub/security/AST-2014-007-11.6.diff Certified
Asterisk
11.6

   Links     https://issues.asterisk.org/jira/browse/ASTERISK-23673       

Asterisk Project Security Advisories are posted at                        
http://www.asterisk.org/security                                          
                                                                          
This document may be superseded by later versions; if so, the latest      
version will be posted at                                                 
http://downloads.digium.com/pub/security/AST-2014-007.pdf and             
http://downloads.digium.com/pub/security/AST-2014-007.html                

                            Revision History
      Date                  Editor                 Revisions Made         
May 9, 2014        Richard Mudgett           Document Creation            
June 12, 2014      Matt Jordan               Added CVE                    

           Asterisk Project Security Advisory - AST-2014-007
          Copyright (c) 2014 Digium, Inc. All Rights Reserved.

Permission is hereby granted to distribute and publish this advisory in its
original, unaltered form.

Related

checkpoint_advisories 1
fedora 2
prion 1
openvas 3
nessus 6
ubuntucve 1
debiancve 1
cve 1
mageia 1
gentoo 1
freebsd 1
securityvulns 1
checkpoint_advisories
checkpoint_advisories
Digium Asterisk HTTP Connections Denial of Service (CVE-2014-4047)
2014-10-29 00:00:00
fedora
fedora
[SECURITY] Fedora 20 Update: asterisk-11.10.2-2.fc20
2014-09-19 10:05:48
[SECURITY] Fedora 19 Update: asterisk-11.10.2-2.fc19
2014-09-19 10:11:34
prion
prion
Denial of service
2014-06-17 14:55:00
openvas
openvas
Fedora Update for asterisk FEDORA-2014-7570
2014-09-20 00:00:00
Fedora Update for asterisk FEDORA-2014-7551
2014-09-20 00:00:00
Gentoo Security Advisory GLSA 201406-25
2015-09-29 00:00:00
nessus
nessus
Fedora 20 : asterisk-11.10.2-2.fc20 (2014-7551)
2014-09-22 00:00:00
Asterisk HTTP Session Handling DoS (AST-2014-007)
2014-06-17 00:00:00
Fedora 19 : asterisk-11.10.2-2.fc19 (2014-7570)
2014-09-22 00:00:00
ubuntucve
ubuntucve
CVE-2014-4047
2014-06-17 00:00:00
debiancve
debiancve
CVE-2014-4047
2014-06-17 14:55:00
cve
cve
CVE-2014-4047
2014-06-17 14:55:00
mageia
mageia
Updated asterisk packages fix security vulnerabilities
2014-07-26 16:52:06
gentoo
gentoo
Asterisk: Multiple vulnerabilities
2014-06-25 00:00:00
freebsd
freebsd
asterisk -- multiple vulnerabilities
2014-06-12 00:00:00
securityvulns
securityvulns
Asterisk multiple security vulnerabilities
2014-06-13 00:00:00
JSON
Related for SECURITYVULNS:DOC:30797
checkpoint_advisories1fedora2prion1openvas3nessus6ubuntucve1debiancve1cve1mageia1gentoo1freebsd1securityvulns1