CVE-2021-31878: 
NixOS vulnerability analysis and mitigation

An issue was discovered in PJSIP in Asterisk before 16.19.1 and before 18.5.1, identified as CVE-2021-31878. The vulnerability was reported on April 6, 2021, by Ivan Poddubny and affects the PJSIP channel driver in Asterisk. The issue occurs when a re-INVITE without SDP is received after Asterisk has sent a BYE request (Asterisk Advisory).

The vulnerability exists in the respjsipsession.c module and was introduced in a commit fixing ASTERISK-28452. The issue stems from a PJSIP callback (sessioninvoncreateoffer) that incorrectly assumes the astsipsession always has a channel. When session->channel is NULL, astqueueunhold(NULL) causes Asterisk to log assertion failures and crash (JIRA Issue). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability results in a denial of service condition where an authenticated attacker can cause Asterisk to crash. This affects the availability of the system, potentially disrupting voice communications services (Asterisk Advisory).

The vulnerability was fixed in Asterisk versions 16.19.1 and 18.5.1. Users should upgrade to these or later versions. Patches were also made available for affected versions through AST-2021-007-16.diff and AST-2021-007-18.diff (Asterisk Advisory).