Alpine: multiple asterisk packages: security update to 12.1.0-r0 (deprecated)

critical Tenable Cloud Security Plugin ID 401093

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before 12.1.1,
and Certified Asterisk 1.8.x before 1.8.15-cert5 and 11.6 before 11.6-cert2, allows remote attackers to
cause a denial of service (stack consumption) and possibly execute arbitrary code via an HTTP request with
a large number of Cookie headers. (CVE-2014-2286)

- channels/chan_sip.c in Asterisk Open Source 1.8.x before 1.8.26.1, 11.8.x before 11.8.1, and 12.1.x before
12.1.1, and Certified Asterisk 1.8.15 before 1.8.15-cert5 and 11.6 before 11.6-cert2, when chan_sip has a
certain configuration, allows remote authenticated users to cause a denial of service (channel and file
descriptor consumption) via an INVITE request with a (1) Session-Expires or (2) Min-SE header with a
malformed or invalid value. (CVE-2014-2287)

- The PJSIP channel driver in Asterisk Open Source 12.x before 12.1.1, when qualify_frequency "is enabled on
an AOR and the remote SIP server challenges for authentication of the resulting OPTIONS request," allows
remote attackers to cause a denial of service (crash) via a PJSIP endpoint that does not have an
associated outgoing request. (CVE-2014-2288)

- res/res_pjsip_exten_state.c in the PJSIP channel driver in Asterisk Open Source 12.x before 12.1.0 allows
remote authenticated users to cause a denial of service (crash) via a SUBSCRIBE request without any Accept
headers, which triggers an invalid pointer dereference. (CVE-2014-2289)

See Also

https://git.alpinelinux.org/aports/commit/?id=0f35b9749045b1c2c49d2161334bbbadf9993ad7

https://git.alpinelinux.org/aports/commit/?id=c0ffa3beb0342bc1b98c84a009565e66cf9d3e1c

Plugin Details

Severity: Critical

ID: 401093

Version: Revision 1.25

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2014-2286

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2014-2288

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/11/2014

Vulnerability Publication Date: 3/10/2014

Reference Information

CVE: CVE-2014-2286, CVE-2014-2287, CVE-2014-2288, CVE-2014-2289

BID: 66093, 66094, 66096, 66104

IAVA: 2014-A-0035-S