SNMP4J-AgentX version 3.6.0 and 2.7.3 have been released 2022-11-10T23:00:00Z to fix a security issue where an authenticated user (if all users need to authenticate) could send a GETBULK request to a high maximum-repetition value to cause the AgentX master agent to run out-of-memory.
Dependencies SNMP4J-AgentX 3.6.0
- SNMP4J-Agent-DB 3.6.3
- SNMP4J-Agent 3.6.5
- SNMP4J 3.7.4
- Java 9
Dependencies SNMP4J-AgentX 2.7.3
- SNMP4J-Agent 2.7.8
- SNMP4J 2.8.15
- Java 8
Release Notes SNMP4J-AgentX 3.6.0
- SECURITY [AS-38]: Command processing of GETBULK PDUs with large max-repetition values could lead to DoS/OutOfMemory in
AgentXMasterAgent
.
Now repetition sub-requests are limited to the maximum theoretical possible variable bindings fitting into the maximum sized responsePDU
- according the maximum outbound message size. - Updated: Dependencies to SNMP4J-Agent 3.6.5, SNMP4J-Agent-DB 3.6.3, and SNMP4J v3.7.4.
- Improved: Event objects that are serializable now have serializable members if those are non-optional.
Release Notes SNMP4J-AgentX 2.7.3
- SECURITY [AS-38]: Command processing of GETBULK PDUs with large max-repetition values could lead to DoS/OutOfMemory in
AgentXMasterAgent
. Now repetition sub-requests are limited to the maximum theoretical possible variable bindings fitting into the maximum sized responsePDU
- according the maximum outbound message size. - Updated: Dependencies to SNMP4J-Agent 2.7.8 and SNMP4J v2.8.15. JUnit 4.13.1.