Release Date
22nd February 2021.
Overview
Unsafe handling of RTP media streams can cause an out of memory crash loop in the RTP receiver and thus a DOS of the system.
Affected Products
- Ava Aware:
- All Stable upgrade channel versions up to but not including 3.4.4
- All Beta upgrade channel versions up to but not including 3.4.4
Unaffected Products
- Ava Aware:
- All Stable upgrade channel versions from 3.4.4
- All Beta upgrade channel versions from 3.4.4
- Ava Cloud: All versions
- Ava Cameras: All versions
Resolution
This issue has been fixed in Beta upgrade channel version 3.4.4 and Stable upgrade channel version 3.4.4. We [strongly] recommend that all installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Ava Aware User Interface.
Vulnerability Information
- CVE: pending
- CVSSv3 score: 5.9 (Medium)
- CVSSv3 vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Mitigations
There are no known mitigations for this issue.
Work arounds
There are no known workarounds for this issue.
Acknowledgements
Issue found internally by Ava Security.
Disclosure Timeline
- 15/02/2021 Issue found internally by Ava Security
- 16/02/2021 Root cause established
- 19/02/2021 Fix identified
- 22/02/2021 Patched Ava Aware 3.4.4 (Beta upgrade channel) released
- 22/02/2021 Patched Ava Aware 3.4.4 (Stable upgrade channel) released
- 22/02/2021 Vulnerability publicly disclosed