製品・ソフトウェアに関する情報

JVN脆弱性詳細

Asterisk Open Source および Certified Asterisk におけるバッファエラーの脆弱性

Title	Asterisk Open Source および Certified Asterisk におけるバッファエラーの脆弱性
Summary	Asterisk Open Source および Certified Asterisk には、バッファエラーの脆弱性が存在します。本脆弱性は、CVE-2017-7617 とは異なる脆弱性です。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 12, 2017, midnight
Registration Date	Dec. 11, 2017, 6:06 p.m.
Last Update	Dec. 11, 2017, 6:06 p.m.

Affected System

Digium

Asterisk 13.18.1 未満の 13

Asterisk 14.7.1 未満の 14

Asterisk 15.1.1 未満の 15

Certified Asterisk 13.13-cert7 未満の 13.13

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-16671	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16671
National Vulnerability Database (NVD)
2	CVE-2017-16671	https://nvd.nist.gov/vuln/detail/CVE-2017-16671

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Asterisk Project Security Advisory
1	AST-2017-010	http://downloads.asterisk.org/pub/security/AST-2017-010.html
JIRA
2	ASTERISK-27337	https://issues.asterisk.org/jira/browse/ASTERISK-27337

Change Log

No	Changed Details	Date of change
0	[2017年12月11日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-16671

Summary	A Buffer Overflow issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 before 14.7.1, and 15 before 15.1.1 and Certified Asterisk 13.13 before 13.13-cert7. No size checking is done when setting the user field for Party B on a CDR. Thus, it is possible for someone to use an arbitrarily large string and write past the end of the user field storage buffer. NOTE: this is different from CVE-2017-7617, which was only about the Party A buffer.
Publication Date	Nov. 9, 2017, 9:29 a.m.
Registration Date	Jan. 26, 2021, 1:18 p.m.
Last Update	Nov. 21, 2024, 12:16 p.m.

Affected software configurations

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:digium:certified_asterisk:13.13.0:::::::*
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert3::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert2::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1_rc4::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1_rc3::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1_rc2::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1_rc1::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert6::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert5::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert4::::::

Related information, measures and tools

No	URL	タグ
1	http://downloads.digium.com/pub/security/AST-2017-010.html	Vendor Advisory
2	http://downloads.digium.com/pub/security/AST-2017-010.html	Vendor Advisory
3	http://www.securityfocus.com/bid/101760	Third Party Advisory VDB Entry
4	http://www.securityfocus.com/bid/101760	Third Party Advisory VDB Entry
5	https://issues.asterisk.org/jira/browse/ASTERISK-27337	Issue Tracking Vendor Advisory
6	https://issues.asterisk.org/jira/browse/ASTERISK-27337	Issue Tracking Vendor Advisory
7	https://security.gentoo.org/glsa/201811-11
8	https://security.gentoo.org/glsa/201811-11
9	https://www.debian.org/security/2017/dsa-4076
10	https://www.debian.org/security/2017/dsa-4076

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:digium:certified_asterisk:13.13.0:::::::*
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert3::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert2::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1_rc4::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1_rc3::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1_rc2::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert1_rc1::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert6::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert5::::::
cpe:2.3:a:digium:certified_asterisk:13.13.0:cert4::::::