JFrog security researchers recently discovered 5 vulnerabilities in PJSIP, a widely used open-source multimedia communication library developed by Teluu. By exploiting these newly discovered vulnerabilities, an attacker could cause the execution of arbitrary code in the application using the PJSIP library. JFrog Security has exposed these critical vulnerabilities and has worked with the PJSIP maintainers to ensure that these reported vulnerabilities are addressed.
What is the PJSIP library used for?
PJSIP provides an Application Programming Interface (API) that can be used by IP telephony applications such as VoIP phones and conferencing applications. It is used today by the world’s most popular communication applications, such as WhatsApp and BlueJeans. PJSIP is also used by Asterisk, the ubiquitous open source telephony implementation (PBX/Private Branch Exchange).
The revealed PJSIP vulnerabilities
- CVE-2021-43299 (CVSS Score: 8.1): Stack Overflow in the PJSUA API when calling pjsua_player_create
- CVE-2021-43300 (CVSS Score: 8.1): Stack Overflow in the PJSUA API when calling pjsua_recorder_create
- CVE-2021-43301 (CVSS Score: 8.1): Stack Overflow in the PJSUA API when calling pjsua_playlist_create
- CVE-2021-43302 (CVSS Score: 5.9): Read out-of-bounds in the PJSUA API when calling pjsua_recorder_create
- CVE-2021-43303 (CVSS Score: 5.9): Buffer Overflow in the PJSUA API when calling pjsua_call_dump
Who is affected by the vulnerabilities?
All projects that use the PJSIP library before version 2.12 and pass parameters controlled by attackers to one of the mentioned APIs are vulnerable. This means that the exploitation is context-dependent – an application must use the PJSIP library in a certain way to be vulnerable, namely by calling the above APIs and passing external inputs to certain arguments from these APIs.
The JFrog Security Research Team has uncovered the vulnerabilities within the library and therefore does not make the explicit claim that a particular application is vulnerable (as no specific applications have been investigated) – this includes the applications mentioned in the previous section that have not been investigated (WhatsApp, BlueJeans and Asterisk).
Fixing the security vulnerabilities
In order to completely fix these vulnerabilities, the security researchers recommend upgrading from PJSIP to version 2.12. The details of the investigation of the PJSIP vulnerabilities can be found in this blog. In addition to detecting new vulnerabilities and threats, JFrog provides developers and security teams with easy access to the latest relevant information for their software – including the use of PJSIP open source library versions and associated CVEs – through automatic security scanning using the JFrog Xray SCA tool.