Name | CVE-2022-24810 |
Description | net-snmp provides various tools relating to the Simple Network Management Protocol. Prior to version 5.9.2, a user with read-write credentials can use a malformed OID in a SET to the nsVacmAccessTable to cause a NULL pointer dereference. Version 5.9.2 contains a patch. Users should use strong SNMPv3 credentials and avoid sharing the credentials. Those who must use SNMPv1 or SNMPv2c should use a complex community string and enhance the protection by restricting access to a given IP address range. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-3088-1, DSA-5209-1, ELA-668-1 |
Debian Bugs | 1016139 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
net-snmp (PTS) | jessie, jessie (lts) | 5.7.2.1+dfsg-1+deb8u6 | fixed |
stretch (security) | 5.7.3+dfsg-1.7+deb9u3 | vulnerable | |
stretch (lts), stretch | 5.7.3+dfsg-1.7+deb9u5 | fixed | |
buster (security), buster, buster (lts) | 5.7.3+dfsg-5+deb10u4 | fixed | |
bullseye (security), bullseye | 5.9+dfsg-4+deb11u1 | fixed | |
bookworm | 5.9.3+dfsg-2 | fixed | |
sid, trixie | 5.9.4+dfsg-1.1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
net-snmp | source | jessie | 5.7.2.1+dfsg-1+deb8u5 | ELA-668-1 | ||
net-snmp | source | stretch | 5.7.3+dfsg-1.7+deb9u4 | ELA-668-1 | ||
net-snmp | source | buster | 5.7.3+dfsg-5+deb10u3 | DLA-3088-1 | ||
net-snmp | source | bullseye | 5.9+dfsg-4+deb11u1 | DSA-5209-1 | ||
net-snmp | source | (unstable) | 5.9.3+dfsg-1 | 1016139 |
https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3)
https://github.com/net-snmp/net-snmp/commit/67ebb43e9038b2dae6e74ae8838b36fcc10fc937 (v5.9.2.pre1)
https://github.com/net-snmp/net-snmp/commit/9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 (v5.9.2.pre1)