An update for net-snmp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1888 Final 1.0 1.0 2022-09-02 Initial 2022-09-02 2022-09-02 openEuler SA Tool V1.0 2022-09-02 net-snmp security update An update for net-snmp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6. The suite includes: + - An extensible agent for responding to SNMP queries including built-in + support for a wide range of MIB information modules + - Command-line applications to retrieve and manipulate information from + SNMP-capable devices + - A daemon application for receiving SNMP notifications + - A library for developing new SNMP applications, with C and Perl APIs + - A graphical MIB browser. Security Fix(es): https://github.com/net-snmp/net-snmp/blob/v5.9.2/CHANGES CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL pointer dereference.(CVE-2022-24809) CVE-2022-24807 A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an out-of-bounds memory access. https://github.com/net-snmp/net-snmp/blob/v5.9.2/CHANGES(CVE-2022-24807) https://github.com/net-snmp/net-snmp/blob/v5.9.2/CHANGES CVE-2022-24808 A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference(CVE-2022-24808) +*5.9.2*: + security: + - These two CVEs can be exploited by a user with read-only credentials: + - CVE-2022-24805 A buffer overflow in the handling of the INDEX of + NET-SNMP-VACM-MIB can cause an out-of-bounds memory access. + - CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable + can cause a NULL pointer dereference. + - These CVEs can be exploited by a user with read-write credentials: + - CVE-2022-24806 Improper Input Validation when SETing malformed + OIDs in master agent and subagent simultaneously + - CVE-2022-24807 A malformed OID in a SET request to + SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an + out-of-bounds memory access. + - CVE-2022-24808 A malformed OID in a SET request to + NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference + - CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable + can cause a NULL pointer dereference. + - To avoid these flaws, use strong SNMPv3 credentials and do not share them. + If you must use SNMPv1 or SNMPv2c, use a complex community string + and enhance the protection by restricting access to a given IP address range. + - Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for + reporting the following CVEs that have been fixed in this release, and + to Arista Networks for providing fixes.(CVE-2022-24805) https://github.com/net-snmp/net-snmp/blob/v5.9.2/CHANGES CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer dereference.(CVE-2022-24810) From https://github.com/net-snmp/net-snmp/blob/v5.9.2/CHANGES CVE-2022-24806 Improper Input Validation when SETing malformed OIDs in master agent and subagent simultaneously(CVE-2022-24806) An update for net-snmp is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium net-snmp https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1888 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-24809 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-24807 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-24808 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-24805 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-24810 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-24806 https://nvd.nist.gov/vuln/detail/CVE-2022-24809 https://nvd.nist.gov/vuln/detail/CVE-2022-24807 https://nvd.nist.gov/vuln/detail/CVE-2022-24808 https://nvd.nist.gov/vuln/detail/CVE-2022-24805 https://nvd.nist.gov/vuln/detail/CVE-2022-24810 https://nvd.nist.gov/vuln/detail/CVE-2022-24806 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS net-snmp-5.9-6.oe1.aarch64.rpm net-snmp-debuginfo-5.9-6.oe1.aarch64.rpm net-snmp-perl-5.9-6.oe1.aarch64.rpm python3-net-snmp-5.9-6.oe1.aarch64.rpm net-snmp-libs-5.9-6.oe1.aarch64.rpm net-snmp-gui-5.9-6.oe1.aarch64.rpm net-snmp-devel-5.9-6.oe1.aarch64.rpm net-snmp-debugsource-5.9-6.oe1.aarch64.rpm net-snmp-devel-5.9-6.oe1.aarch64.rpm python3-net-snmp-5.9-6.oe1.aarch64.rpm net-snmp-5.9-6.oe1.aarch64.rpm net-snmp-libs-5.9-6.oe1.aarch64.rpm net-snmp-gui-5.9-6.oe1.aarch64.rpm net-snmp-debuginfo-5.9-6.oe1.aarch64.rpm net-snmp-debugsource-5.9-6.oe1.aarch64.rpm net-snmp-perl-5.9-6.oe1.aarch64.rpm net-snmp-perl-5.9.1-3.oe2203.aarch64.rpm net-snmp-debuginfo-5.9.1-3.oe2203.aarch64.rpm net-snmp-devel-5.9.1-3.oe2203.aarch64.rpm net-snmp-gui-5.9.1-3.oe2203.aarch64.rpm net-snmp-libs-5.9.1-3.oe2203.aarch64.rpm net-snmp-debugsource-5.9.1-3.oe2203.aarch64.rpm net-snmp-5.9.1-3.oe2203.aarch64.rpm python3-net-snmp-5.9.1-3.oe2203.aarch64.rpm net-snmp-help-5.9-6.oe1.noarch.rpm net-snmp-help-5.9-6.oe1.noarch.rpm net-snmp-help-5.9.1-3.oe2203.noarch.rpm net-snmp-5.9-6.oe1.src.rpm net-snmp-5.9-6.oe1.src.rpm net-snmp-5.9.1-3.oe2203.src.rpm python3-net-snmp-5.9-6.oe1.x86_64.rpm net-snmp-debuginfo-5.9-6.oe1.x86_64.rpm net-snmp-debugsource-5.9-6.oe1.x86_64.rpm net-snmp-devel-5.9-6.oe1.x86_64.rpm net-snmp-5.9-6.oe1.x86_64.rpm net-snmp-gui-5.9-6.oe1.x86_64.rpm net-snmp-perl-5.9-6.oe1.x86_64.rpm net-snmp-libs-5.9-6.oe1.x86_64.rpm net-snmp-debugsource-5.9-6.oe1.x86_64.rpm net-snmp-gui-5.9-6.oe1.x86_64.rpm net-snmp-devel-5.9-6.oe1.x86_64.rpm net-snmp-perl-5.9-6.oe1.x86_64.rpm python3-net-snmp-5.9-6.oe1.x86_64.rpm net-snmp-5.9-6.oe1.x86_64.rpm net-snmp-debuginfo-5.9-6.oe1.x86_64.rpm net-snmp-libs-5.9-6.oe1.x86_64.rpm net-snmp-5.9.1-3.oe2203.x86_64.rpm net-snmp-gui-5.9.1-3.oe2203.x86_64.rpm python3-net-snmp-5.9.1-3.oe2203.x86_64.rpm net-snmp-perl-5.9.1-3.oe2203.x86_64.rpm net-snmp-debuginfo-5.9.1-3.oe2203.x86_64.rpm net-snmp-debugsource-5.9.1-3.oe2203.x86_64.rpm net-snmp-devel-5.9.1-3.oe2203.x86_64.rpm net-snmp-libs-5.9.1-3.oe2203.x86_64.rpm No description is available for this CVE. 2022-09-02 CVE-2022-24809 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H net-snmp security update 2022-09-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1888 No description is available for this CVE. 2022-09-02 CVE-2022-24807 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H net-snmp security update 2022-09-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1888 No description is available for this CVE. 2022-09-02 CVE-2022-24808 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H net-snmp security update 2022-09-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1888 No description is available for this CVE. 2022-09-02 CVE-2022-24805 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 6.7 AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H net-snmp security update 2022-09-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1888 No description is available for this CVE. 2022-09-02 CVE-2022-24810 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H net-snmp security update 2022-09-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1888 No description is available for this CVE. 2022-09-02 CVE-2022-24806 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H net-snmp security update 2022-09-02 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1888