SNMP4J-Agent 3.8.0 has been released 2024-04-22T22:00:00Z with many fixed and one important security fix for inner ManagedObject VACM OID exclusion for GETNEXT/GETBULK operations. SET operations are not affected.
Dependencies
- SNMP4J 3.8.1
- Java 9
CHANGES (since 3.6.8)
- SECURITY: VACM access rights limiting access within multi OID ManagedObjects like DefaultMOTable did not work
properly for GETNEXT and GETBULK requests because accessible objects could have been ignored if non-accessible
objects needed to be skipped by the NEXT operation before reaching the accessible object. If an accessible object,
was found first on a sub-request non-included or excluded objects of an effective VACM view could have been disclosed
if the view excludes access to certain objects within the scope of a ManagedObject, i.e., DefaultMOTable,
StaticMOGroup, and MOSubtreeProxy.
This has been fixed by adding the ManagedObject.find(MOQuery query, Function<OID, Boolean> filter) and
ManagedObject.next(SR request, Function<OID, Boolean> filter) methods which filter out any OIDs that are not included
in the VACM view.
The CommandProcessor uses both methods as part of GETNEXT/GETBULK processing instead of calling ManagedObject.find
(which is still called indirectly) and ManagedObject.next(SR request) which is not used anymore (now deprecated). - Fixed: Option CommandProcessor.setLockNonNextRequestsSortedByVbOid flag to enable reordering of locking
SNMP sub-requests based on their OID did not work correctly if same OID was given more than once within same PDU. - Fixed: Implemented snmpUnknownContexts.0 Counter and corresponding checks in CommandProcessor.isContextNotSupported().
- Improved: Info logging in NotificationOriginatorImpl.notify when INFORM response has not been received.
[2024-04-11] v3.7.2 (Requires SNMP4J v3.8.0 or later)
- Added: Added MOPersistentProvider.close() method.
[2024-04-05] v3.7.1 (Requires SNMP4J v3.8.0 or later)
- Fixed: Regression in 3.7.0
CommandProcessor.GetHandler
NullPointerException
on GET requests withnoSuchObject
exceptions. - Fixed: OID returned in RESPONSE PDU for a GET request was wrong if such an instance does not exist or such an object does not exist (
noSuchInstance
andnoSuchObject
exception). According to RFC 3416 §4.2.1, the returned OID must be the OID of the corresponding variable binding from the request. Instead, the OID of the scalar was returned managing the accessed OID region.
[2024-04-02] v3.7.0 (Requires SNMP4J v3.8.0 or later)
- Fixed:
SnmpNotificationMIB.passesFilter(OID notificationID, VariableBinding[] vbs, List<DefaultMOMutableRow2PC> profiles)
did return false (i.e., “do not send notification”) when no matching filter was found for a matching profile. According to RFC 3413 §6 this behaviour is wrong and notification should be sent instead. - Fixed: Deadlock in
DefaultMOServer.lock(..)
iftimeoutMillis
are set to 0. - Fixed: Race condition in
NotificationOriginatorImpl.notify(..)
if notificationEventID is being modified by another thread before notifications are actually sent out. - Fixed:
nlmLogTable
:NotificationLogMib.NlmConfigGlobalEntryLimit.commit()
tried update limits using profileName that is not available by this object. This update is now executed byNlmConfigLogEntryRow.commit(..)
. - Fixed:
VacmMIB.VacmContextTableModel.tailIterator()
did not return objects in correct order for all cases because it used the wrong comparator for its binarySearch operation. - Fixed:
snmpTargetAddrTMask
did not validate length of mask to match length of the correspondingsnmpTargetAddrTAddress
. - Fixed:
MOPropertyInput
threwNullPointerException
on loadingDefaultMOTable
data from a config properties file when table data was defined for a supported context. - Fixed: Implemented
snmpUnknownContexts.0
Counter and corresponding checks inCommandProcessor.isContextNotSupported()
. - Changed:
Snmp4JLogMib
’s textual convention LogLevel now allows to setnotSpecified(0)
too. - Improved:
MOMutableColum.validate
now takes 3rd parameter to be able to identify the cell instance to be validated.
which is sometime necessary to verify a value against other values in a MIB. - Improved: Multi-threading support by copying notificationID before processing notifications.
- Improved: NotificationOriginator uses common sysUpTime by default for the same notification sent to different targets.
- Improved:
coldStart
notification is sent asynchronously. - Improved: Logging if a VB OID of a notification payload is not granted access and therefore notification is not sent.
- Improved: Unlock of ManagedObjects now uses
notifyAll()
insteadnotify()
to avoid temporary deadlocks across 3 or moreManagedObject
s and SET requests. - Improved: GET, GETNEXT, and GETBULK requests can now be included in a lock strategy for locking too. GET requests and SET requests are first locked (if necessary by lock strategy) and then processed if are locks have been acquired.
For GETNEXT and GETBULK locks are acquired by sub-request step-by-step. The search operation for NEXT-type request can require several locks per sub-requests. Locking all managed objects before processing the requests, would be not efficient for these request types. - Improved:
LookupListener.useCompleted(SubRequest)
is now called too for GET, GETNEXT, and GETBULK requests. - Improved: Even if exceptions are thrown while
MangedObject
s are locked by request processing, these ManagedObjects are properly unlocked when request is finished. - Added: Support for “configurable-only”
SerializableManagedObjects
. By settingsetVolatile(true)
andsetConfigurable(false)
, the behaviour before <3.7.0 can be restored. IfsetConfigurable(true)
(default) andisVolatile(true)
objects can be configured usingMOInput
(for example from a properties file) but not persistently saved or restored. AlthoughDefaultMOTable
andMOScalar
objects are configurable by default,MOScalar
is not configurable if its value has the syntaxCounter32
,Counter64
, orTimeTicks
. - Added: Option
CommandProcessor.setLockNonNextRequestsSortedByVbOid
flag to enable/disable reordering of locking SNMP subrequests based on their OID to implement a hierarchy based deadlock prevention for processing SET and GET requests. This reordering is disabled by default. If enabled the sub-requests of SET and GET requests will be locked in the lexicographic order of the VB OIDs. This eliminates any likelihood of deadlocks caused by intersecting PDU requests (at least with the defaultLockStrategy
that locks for SET requests only). - Added: Option
DefaultMOServer.setDeadlockPreventionEnabled
(disabled by default) to enable super-thread based deadlock prevention. Enabling this option reduces overall performance if deadlocks are prevented by OID hierarchy based lock access (seeSnmpRequest.USE_VBS_REORDERING_ON_SET_TO_PREVENT_DEADLOCKS
for SNMP requests) anyway. - Added: Unit tests for SNMP4J’s
TableUtils
with sparse table with null columns and fewer rows than columns and single max columns and repetitions per PDU. - Added:
AgentConfigManager.getCommandProcessor()
- Added:
VACM.hasContext(OctetString contextName)
with default implementation which returns true (which provides full backward compatibility). - Added:
MOServer.unlockNow(..)
which unlocks aManagedObject
for a specified owner regardless of any recursive locks. - Added:
MOServer.waitForUnlockedState(long timeoutMillis)
andAgentConfigManager.waitUntilPendingModificationsDone()
to support a clean shutdown of a SNMP agent by waiting for write access operations to complete on managed objects before saving agent state to persistent storage.