[SNMP4J] False positives reported by "OWASP Dependency check"
Frank Fock
fock at agentpp.com
Thu Apr 26 22:07:22 CEST 2018
Hi,
In the last days many question reached me about false positives reported by the OWASP Dependency check about SNMP4J libraries. The reports read as follows:
The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet.
CVSS: 7.5
URL: CVE-2015-5621
CWE: CWE-19 Data Handling
Those reports are FALSE positives and are completed unfounded!
A bug report for the OWASP Dependency Check tool has been created regarding this issue.
See also my statement in the SNMP4J FAQ at:
https://oosnmp.net/confluence/pages/viewpage.action?pageId=29720580 <https://oosnmp.net/confluence/pages/viewpage.action?pageId=29720580>
Best regards,
Frank Fock
More information about the SNMP4J
mailing list