Hi, In the last days many question reached me about false positives reported by the OWASP Dependency check about SNMP4J libraries. The reports read as follows:
The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet. CVSS: 7.5 URL: CVE-2015-5621 CWE: CWE-19 Data Handling Those reports are FALSE positives and are completed unfounded! A bug report for the OWASP Dependency Check tool has been created regarding this issue. See also my statement in the SNMP4J FAQ at: https://oosnmp.net/confluence/pages/viewpage.action?pageId=29720580 <https://oosnmp.net/confluence/pages/viewpage.action?pageId=29720580> Best regards, Frank Fock _______________________________________________ SNMP4J mailing list SNMP4J@agentpp.org https://oosnmp.net/mailman/listinfo/snmp4j
