Asterisk Project Security Advisory - AST-2014-007 Product Asterisk Summary Exhaustion of Allowed Concurrent HTTP Connections Nature of Advisory Denial Of Service Susceptibility Remote Unauthenticated Sessions Severity Moderate Exploits Known No Reported On May 25, 2014 Reported By Richard Mudgett Posted On May 9, 2014 Last Updated On June 12, 2014 Advisory Contact Richard Mudgett <rmudgett AT digium DOT com> CVE Name CVE-2014-4047 Description Establishing a TCP or TLS connection to the configured HTTP or HTTPS port respectively in http.conf and then not sending or completing a HTTP request will tie up a HTTP session. By doing this repeatedly until the maximum number of open HTTP sessions is reached, legitimate requests are blocked. Resolution The patched versions now have a session_inactivity timeout option in http.conf that defaults to 30000 ms. Users should upgrade to a corrected version, apply the released patches, or disable HTTP support. Affected Versions Product Release Series Asterisk Open Source 1.8.x All versions Asterisk Open Source 11.x All versions Asterisk Open Source 12.x All versions Certified Asterisk 1.8.15 All versions Certified Asterisk 11.6 All versions Corrected In Product Release Asterisk Open Source 1.8.28.1, 11.10.1, 12.3.1 Certified Asterisk 1.8.15-cert6, 11.6-cert3 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.diff Asterisk 1.8 http://downloads.asterisk.org/pub/security/AST-2014-007-11.diff Asterisk 11 http://downloads.asterisk.org/pub/security/AST-2014-007-12.diff Asterisk 12 http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.15.diff Certified Asterisk 1.8.15 http://downloads.asterisk.org/pub/security/AST-2014-007-11.6.diff Certified Asterisk 11.6 Links https://issues.asterisk.org/jira/browse/ASTERISK-23673 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2014-007.pdf and http://downloads.digium.com/pub/security/AST-2014-007.html Revision History Date Editor Revisions Made May 9, 2014 Richard Mudgett Document Creation June 12, 2014 Matt Jordan Added CVE Asterisk Project Security Advisory - AST-2014-007 Copyright (c) 2014 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.