Security Bulletin: A vulnerability in net-snmp affects IBM Security Network Protection (CVE-2015-5621)

Summary

The net-snmp packages provide various libraries and tools for the Simple Network Management Protocol (SNMP).One security vulnerability has been discovered in net-snmp used with IBM Security Network Protection.

Vulnerability Details

CVEID: CVE-2015-5621**
DESCRIPTION:** Net-SNMP is vulnerable to a denial of service, caused by incompletely parsed varBind variables being left in the list of variables by the snmp_pdu_parse() function. A remote attacker could exploit this vulnerability to cause the application to crash or possibly execute arbitrary code on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105232 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Security Network Protection 5.2
IBM Security Network Protection 5.3

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Security Network Protection | Firmware version 5.2| Download 5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0012 from IBM Fix Central and upload and install via the Fix Packs page of the Local Management Interface.
IBM Security Network Protection| Firmware version 5.3| Install Firmware 5.3.1.5 from the Available Updates page of the Local Management Interface, or by performing a One Time Scheduled Installation from SiteProtector.

Workarounds and Mitigations

None