AST-2014-007: Exhaustion of Allowed Concurrent HTTP Connections

Asterisk Project Security Advisory - AST-2014-007

          Product         Asterisk
          Summary         Exhaustion of Allowed Concurrent HTTP Connections
     Nature of Advisory   Denial Of Service
       Susceptibility     Remote Unauthenticated Sessions
          Severity        Moderate
       Exploits Known     No
        Reported On       May 25, 2014
        Reported By       Richard Mudgett
         Posted On        May 9, 2014
      Last Updated On     June 12, 2014
      Advisory Contact    Richard Mudgett <rmudgett AT digium DOT com>
          CVE Name        CVE-2014-4047

    Description  Establishing a TCP or TLS connection to the configured HTTP
                 or HTTPS port respectively in http.conf and then not
                 sending or completing a HTTP request will tie up a HTTP
                 session. By doing this repeatedly until the maximum number
                 of open HTTP sessions is reached, legitimate requests are
                 blocked.

    Resolution  The patched versions now have a session_inactivity timeout
                option in http.conf that defaults to 30000 ms. Users should
                upgrade to a corrected version, apply the released patches,
                or disable HTTP support.

                               Affected Versions
                Product              Release Series
         Asterisk Open Source            1.8.x       All versions
         Asterisk Open Source             11.x       All versions
         Asterisk Open Source             12.x       All versions
          Certified Asterisk             1.8.15      All versions
          Certified Asterisk              11.6       All versions

                                  Corrected In
                 Product                              Release
          Asterisk Open Source               1.8.28.1, 11.10.1, 12.3.1
           Certified Asterisk                1.8.15-cert6, 11.6-cert3

                                      Patches
                                 SVN URL                               Revision
   http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.diff    Asterisk
                                                                       1.8
   http://downloads.asterisk.org/pub/security/AST-2014-007-11.diff     Asterisk
                                                                       11
   http://downloads.asterisk.org/pub/security/AST-2014-007-12.diff     Asterisk
                                                                       12
   http://downloads.asterisk.org/pub/security/AST-2014-007-1.8.15.diff Certified
                                                                       Asterisk
                                                                       1.8.15
   http://downloads.asterisk.org/pub/security/AST-2014-007-11.6.diff   Certified
                                                                       Asterisk
                                                                       11.6

       Links     https://issues.asterisk.org/jira/browse/ASTERISK-23673

    Asterisk Project Security Advisories are posted at
    http://www.asterisk.org/security

    This document may be superseded by later versions; if so, the latest
    version will be posted at
    http://downloads.digium.com/pub/security/AST-2014-007.pdf and
    http://downloads.digium.com/pub/security/AST-2014-007.html

                                Revision History
          Date                  Editor                 Revisions Made
    May 9, 2014        Richard Mudgett           Document Creation
    June 12, 2014      Matt Jordan               Added CVE

               Asterisk Project Security Advisory - AST-2014-007
              Copyright (c) 2014 Digium, Inc. All Rights Reserved.
  Permission is hereby granted to distribute and publish this advisory in its
                           original, unaltered form.