Mercury Interactive Corporation Information for VU#107186

Multiple vulnerabilities in SNMPv1 trap handling

Status

Affected

Vendor Statement

      Of the Mercury Interactive products, both Topaz and SiteScope have the capability to listen to SNMP traps. In both cases this capability is not installed by default. In order to eliminate any vulnerabilities we have taken the necessary steps to verify that our products are immune to the issues mentioned in the advisory.

      The SiteScope product version 7.5 and onwards, uses Cyberons for Java from Netaphor Software Inc., with the latest patches. These libraries are immune to the issues mentioned in the advisory. More information about this can be found at http://www.netaphor.com/Products/CERTAdvisory.html The Topaz product version 4.1 and onwards, uses the SNMP++ libraries by Agent++, at version 3.1.4b or later. These libraries are immune to the issues mentioned in the advisory. More information about this can be found at http://www.agentpp.com/CERT_SNMPv1_Advisory/body_cert_snmpv1_advisory.html.

      Customers using these products, with the capability to listen to SNMP traps, are advised to upgrade to the appropriate version. Mercury Interactive also recommends considering one or more of the following solutions to minimize your network's potential exposure to these vulnerabilities:

      -Ingress filtering

      -Egress filtering

      -Filter SNMP traffic from non-authorized internal hosts

      -Change default community strings

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.