Fix for net-snmp vulnerability CVE-2015-5621

Issues related to applications and software problems
Post Reply
tsrini
Posts: 24
Joined: 2018/04/06 13:25:09

Fix for net-snmp vulnerability CVE-2015-5621

Post by tsrini » 2020/03/04 06:49:43

Hi Team,

Is there any fix available in CentOS 7.6 updates (or) in later versions of CentOS for the net-snmp vulnerability - CVE-2015-5621 ?

I have checked all the change logs of available RPMs from CentOS 7 to 8 but couldn't see any fix related to this vulnerability. Even I couldn't see anything in change log of net-snmp website as well.

Thanks,
Srini

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Fix for net-snmp vulnerability CVE-2015-5621

Post by TrevorH » 2020/03/04 07:39:54

https://access.redhat.com/security/cve/CVE-2015-5621

Fixed in net-snmp-5.7.2-20.el7_1.1.x86_64.rpm
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tsrini
Posts: 24
Joined: 2018/04/06 13:25:09

Re: Fix for net-snmp vulnerability CVE-2015-5621

Post by tsrini » 2020/03/05 06:52:34

Thanks TrevoH.

Is this fix ported in CentOS's net-snmp package?

We are using Centos 7.6 which uses net-snmp-5.7.2-37.el7.x86_64 and our internal Security Team reported this version is vulnerable to the CVE.

Is the fix in Redhat version net-snmp-5.7.2-20.el7_1.1.x86_64.rpm available in any of the below CentOS's packages,

CentOS 7.6 update: net-snmp-5.7.2-38.el7_6.2.x86_64.rpm
CentOS 7.7 net-snmp-5.7.2-43.el7.src.rpm
CentOS 8.0 net-snmp-5.8-7.el8_0.2.src.rpm
CentOS 8.1 net-snmp-5.8-12.el8_1.src.rpm

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Fix for net-snmp vulnerability CVE-2015-5621

Post by TrevorH » 2020/03/05 10:32:12

The fix will be in all higher versions than the one it says the fix is in.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tsrini
Posts: 24
Joined: 2018/04/06 13:25:09

Re: Fix for net-snmp vulnerability CVE-2015-5621

Post by tsrini » 2020/03/05 10:44:34

Hi TrevoH,

As per our Security Team, the CentOS 7.6 version net-snmp-5.7.2-37.el7.x86_64 (which is even higher than the RHEL fix version net-snmp-5.7.2-20.el7_1.1.x86_64.rpm) is vulnerable.

Thats why little confused on the fix version which we need to pick for CentOS.

Regards,
Srini

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Fix for net-snmp vulnerability CVE-2015-5621

Post by TrevorH » 2020/03/05 10:48:47

Your security team is probably looking at just the banner reported by snmp which most likely just contains the major version 5.7.2. This is very common with vulnerability scanners and can be ignored.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tsrini
Posts: 24
Joined: 2018/04/06 13:25:09

Re: Fix for net-snmp vulnerability CVE-2015-5621

Post by tsrini » 2020/03/05 10:58:32

Ok Got it. Thanks for the clarification :)

Post Reply