USN-2711-1 Net-SNMP Vulnerabilities
Severity
Low to Medium
Vendor
Canonical Ubuntu
Versions Affected
- libsnmp30 5.7.2~dfsg-8.1ubuntu3.1
Description
Net-SNMP could be made to crash or run programs if it received specially crafted network traffic. It was discovered that Net-SNMP incorrectly handled certain trap messages when the -OQ option was used. A remote attacker could use this issue to cause Net-SNMP to crash, resulting in a denial of service. (CVE-2014-3565)
Qinghao Tang discovered that Net-SNMP incorrectly handled SNMP PDU parsing failures. A remote attacker could use this issue to cause Net-SNMP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-5621)
Affected VMware Products and Versions
Severity is low unless otherwise noted.
- Cloud Foundry Runtime: all versions of cf-release prior to 219 are vulnerable to the aforementioned CVEs.
- PHP Buildpack v1.4.1 and earlier are vulnerable.
- Products in the PCF Suite containing cf-release 218 or earlier are vulnerable to the aforementioned CVE:
- Elastic Runtime v1.5.5 or earlier
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that Cloud Foundry Deployments using cf-release 218 or lower upgrade to 219 or higher to resolve the aforementioned CVEs.
- Pivotal recommends customers upgrade to the following releases in the PCF Suite:
- Elastic Runtime 1.5.6 or higher
- PHP Buildpack 4.1.2 or higher
Credit
Unknown