• Home
  • |
  • Blog
  • |
  • Fix The Five Memory Corruption Vulnerabilities In PJSIP Library ASAP
Fix the Five Memory Corruption Vulnerabilities in PJSIP Library

The Security team from JFrog has identified five memory corruption vulnerabilities in the PJSIP library, a widely used open-source multimedia communication library from Teluu. Successful exploitation of these vulnerabilities could lead to arbitrary code execution in the application that uses the PJSIP library. We recommend all the application developers read the post that tells how to fix the five memory corruption vulnerabilities in the PJSIP library.

What Is PJSIP Library?

PJSIP is a free and open-source multimedia communication library written in C language. It is most likely used in the implementation of standard protocols such as SIP, SDP, RTP, STUN, TURN, and ICE protocols. It combines signaling protocol (SIP) with a rich multimedia framework and NAT traversal functionality into a high-level API that is compatible with desktops, embedded systems, mobile, and tablets. 

Basically, it provides an API service that supports audio, video, and instant messaging features that can be used in communication platforms such as VoIP phones and conference applications. Now, It is being used in the world’s most popular communication applications such as WhatsApp, BlueJeans, and Asterisk

Summary Of the Five Memory Corruption Vulnerabilities In PJSIP Library:

JFrog’s security team identified five memory corruption vulnerabilities in PJSIP Library whose CVSS scores range from 8.1 to 5.9. Successful exploitation of these vulnerabilities could allow an attacker to perform arbitrary code execution in the application that uses the PJSIP library. Please visit this post from JFrog Security Team for more technical details.

CVE IDDescriptionImpactJFrog CVSS
CVE-2021-43299Stack overflow in PJSUA API when calling pjsua_player_createArbitrary Code Execution8.1
CVE-2021-43300Stack overflow in PJSUA API when calling pjsua_recorder_createArbitrary Code Execution8.1
CVE-2021-43301Stack overflow in PJSUA API when calling pjsua_playlist_createArbitrary Code Execution8.1
CVE-2021-43302Read out-of-bounds in PJSUA API when calling pjsua_recorder_createDenial of Service5.9
CVE-2021-43303Buffer overflow in PJSUA API when calling pjsua_call_dumpDenial of Service5.9

PJSIP Library Affected By These Vulnerabilities:

The PJSIP library before version 2.12 and pass attacker-controlled arguments to any of these following APIs are vulnerable to these memory corruption flaws: 

  • pjsua_player_create – filename argument must be attacker-controlled
  • pjsua_recorder_create – filename argument must be attacker-controlled
  • pjsua_playlist_create – file_names argument must be (partially) attacker-controlled
  • pjsua_call_dump – buffer argument capacity must be smaller than 128 bytes

All the application developers who use PJSIP Library in their development projects need to fix these five memory corruption vulnerabilities in the PJSIP library.

How To Fix The Five Memory Corruption Vulnerabilities In PJSIP Library?

The authors of the PJSIP library has responded to the vulnerabilities as soon as JFrog’s security team reported these flaws to them. PJSIP authors have fixed the flaws by releasing version 2.12. We recommend that all application developers upgrade to v1.12 and above who use the PJSIP library.

We hope this post will help you know How to Fix the Five Memory Corruption Vulnerabilities in PJSIP Library. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.