USN-2711-1 Net-SNMP Vulnerabilities


Severity

Low to Medium

Vendor

Canonical Ubuntu

Versions Affected
  • libsnmp30 5.7.2~dfsg-8.1ubuntu3.1
Description

Net-SNMP could be made to crash or run programs if it received specially crafted network traffic. It was discovered that Net-SNMP incorrectly handled certain trap messages when the -OQ option was used. A remote attacker could use this issue to cause Net-SNMP to crash, resulting in a denial of service. (CVE-2014-3565)

Qinghao Tang discovered that Net-SNMP incorrectly handled SNMP PDU parsing failures. A remote attacker could use this issue to cause Net-SNMP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-5621)

Affected Pivotal Products and Versions

Severity is low unless otherwise noted.

  • Cloud Foundry Runtime: all versions of cf-release prior to 219 are vulnerable to the aforementioned CVEs.
  • PHP Buildpack v1.4.1 and earlier are vulnerable.
  • Products in the PCF Suite containing cf-release 218 or earlier are vulnerable to the aforementioned CVE:
    • Elastic Runtime v1.5.5 or earlier
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry Deployments using cf-release 218 or lower upgrade to 219 or higher to resolve the aforementioned CVEs.
  • Pivotal recommends customers upgrade to the following releases in the PCF Suite:
Credit

Unknown

References