CVE-2014-2310: Input Validation
First published: Thu Aug 09 2012(Updated: )
It was reported [1],[2]that the AgentX subagent of net-snmp could be stalled when a manager sent a multi-object request with a different number subids. This could lead to a denial of service. This has been corrected upstream in version 5.4.4 [3]; only earlier versiona are affected. This means that Fedora and Red Hat Enterprise Linux 6 are not affected, however Red Hat Enterprise Linux 5 does ship a vulnerable version (5.3.x). [1] <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684388">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684388</a> [2] <a href="http://seclists.org/oss-sec/2014/q1/513">http://seclists.org/oss-sec/2014/q1/513</a> [3] <a href="http://sourceforge.net/p/net-snmp/patches/1113/">http://sourceforge.net/p/net-snmp/patches/1113/</a> Statement: This issue did not affect the version of the net-snmp packages as shipped with Red Hat Enterprise Linux 6.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/net-snmp | <5.4.4 | 5.4.4 |
| debian/net-snmp | 5.9+dfsg-4+deb11u1 5.9.3+dfsg-2 5.9.4+dfsg-1.1 | |
| CentOS Net-SNMP Agent Libraries | <=5.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://sources.debian.net/src/net-snmp/5.7.2~dfsg-8.1/agent/mibgroup/agentx/protocol.c#L1774
- https://bugzilla.redhat.com/show_bug.cgi?id=1074631#c3
- http://bugs.debian.org/742150
- https://security-tracker.debian.org/tracker/CVE-2014-2310
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684388
- http://seclists.org/oss-sec/2014/q1/513
- http://seclists.org/oss-sec/2014/q1/527
- http://secunia.com/advisories/57870
- http://sourceforge.net/p/net-snmp/code/ci/eb816330a1887798d844d2fd5dc6482002123cbd/
- http://sourceforge.net/p/net-snmp/patches/1113/
- http://ubuntu.com/usn/usn-2166-1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1074631#c3
- https://bugzilla.redhat.com/show_bug.cgi?id=1074631
Frequently Asked Questions
What is the severity of CVE-2014-2310?
CVE-2014-2310 is classified as a denial of service vulnerability.
How do I fix CVE-2014-2310?
To fix CVE-2014-2310, upgrade net-snmp to version 5.4.4 or later for Red Hat systems or to versions 5.9+dfsg-4+deb11u1, 5.9.3+dfsg-2, or 5.9.4+dfsg-1.1 for Debian systems.
Which versions of net-snmp are affected by CVE-2014-2310?
Versions of net-snmp earlier than 5.4.4 are affected by CVE-2014-2310.
What types of systems are vulnerable to CVE-2014-2310?
CVE-2014-2310 affects systems running earlier versions of net-snmp on both Red Hat and Debian distributions.
Is there a known exploit for CVE-2014-2310?
Yes, CVE-2014-2310 can be exploited to create a denial of service condition by sending malformed multi-object requests.
- agent/type
- agent/first-publish-date
- collector/debian-bugs
- source/Debian
- alias/CVE-2014-2310
- agent/severity
- agent/weakness
- agent/author
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/security-tracker-debian
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- package-manager/debian
- vendor/net-snmp
- canonical/centos net-snmp agent libraries
- version/centos net-snmp agent libraries/5.4