SNMP4J-Agent versions 3.6.5 and 2.7.8 have been released 2022-11-10T23:00:00Z to fix a security (DoS) issue remotely exploitable by using very large max-repetition values in GETBULK requests. Because the maximum message length is not limited for outbound messages during execution of the GETBULK, an OutOfMemory exception after high CPU load could occur.
CHANGES
- SECURITY [AS-38]: Command processing of
GETBULKPDUs with large max-repetition values could lead to DoS/OutOfMemory when used in conjunction with a Snmp4J-AgentX master agent.
Now repetition sub-requests are limited to the maximum theoretical possible variable bindings fitting into the maximum sized responsePDU- according the maximum outbound message size which is 65535 for all TransportMappings defined in SNMP4J.