SNMP4J-Agent versions 3.6.5 and 2.7.8 have been released 2022-11-10T23:00:00Z to fix a security (DoS) issue remotely exploitable by using very large max-repetition values in GETBULK requests. Because the maximum message length is not limited for outbound messages during execution of the GETBULK, an OutOfMemory exception after high CPU load could occur.
- SECURITY [AS-38]: Command processing of
GETBULKPDUs with large max-repetition values could lead to DoS/OutOfMemory when used in conjunction with a Snmp4J-AgentX master agent.
Now repetition sub-requests are limited to the maximum theoretical possible variable bindings fitting into the maximum sized response
PDU- according the maximum outbound message size which is 65535 for all TransportMappings defined in SNMP4J.