CVE-2017-17090
asterisk - security update
7.5
HIGH
CVSS 3.1
EPSS 80.6%
Description
An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18.2 and older, 14.7.2 and older, and 15.1.2 and older, and Certified Asterisk 13.13-cert7 and older. If the chan_skinny (aka SCCP protocol) channel driver is flooded with certain requests, it can cause the asterisk process to use excessive amounts of virtual memory, eventually causing asterisk to stop processing requests of any kind.
How to fix CVE-2017-17090
To remediate CVE-2017-17090, upgrade the affected package to a fixed version below.
- —upgrade to 1:13.18.3~dfsg-1 or later
- —upgrade to 1:1.8.13.1~dfsg1-3+deb7u8 or later
- —upgrade to 1:11.13.1~dfsg-2+deb8u5 or later
Is CVE-2017-17090 being exploited?
Likely — EPSS is 80.6%, placing CVE-2017-17090 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (3)
- from 0, < 1:13.18.3~dfsg-1
- from 0, < 1:1.8.13.1~dfsg1-3+deb7u8
- from 0, < 1:11.13.1~dfsg-2+deb8u5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |