Red Hat Bugzilla – Bug 1072778
CVE-2014-2285 net-snmp: snmptrapd crash when using a trap with empty community string
Last modified: 2015-07-31 08:15:19 EDT
A remote denial-of-Service flaw was found in the way snmptrapd handled trap requests with empty community string, when the perl handler was enabled. A remote attacker could use this flaw to cause snmp to crash.
More details about the flaw is available at:
Proposed upstream patch:
This issue has been assigned CVE-2014-2285 via:
This issue was caused by a bug in perl in the way newSVpv() handled NULL as its first argument. The perl version shipped in Red Hat Enterprise Linux 5 crashes when newSVpv() is called with NULL argument. The perl version shipped in Red Hat Enterprise Linux 6 handles NULL values gracefully, and hence net-snmp packages in Red Hat Enterprise Linux 6 are not affected by this problem.
References related to the perl bug and its fix:
This issue did not affect the versions of net-snmp as shipped with Red Hat Enterprise Linux 6.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2014:0322 https://rhn.redhat.com/errata/RHSA-2014-0322.html