Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-139310

net-snmp-perl only supports MD5 and SHA(1) while it should support what libnetsnmp provides

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.10
    • net-snmp
    • None
    • None
    • Moderate
    • rhel-base-utils-core
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      A customer is using a 3rd party tool from Centreon written in Perl to query/configure Cisco appliances. The tool relies on net-snmp-perl package for the SNMP functionality.
      It appears that 5.8 net-snmp-perl implementation enforces MD5 or SHA1, because it's using "private" code not relying on the standard libnetsnmp code.

      When customers disable SHA1 because of security concerns on RHEL8, then the net-snmp-perl package becomes unusable.

      It appears that 2 simple backports from 5.9 tree can make this work, I provided a test package and customer confirmed this was sufficient:

      • commit ac06c5844105473e211decdf825af75dc7cd8b7c which was partially backported to our 5.8 code
      • commit 92012951687cb18c8e58fede015e4bc0a9222e73

      Please consider backporting these commits (attached as a patch for convenience), not doing so will be of high concern for RHEL8 customers until EOL of RHEL8 which is 2029.

      What is the impact of this issue to you?

      Customers cannot use Centreon tool (or any of their custom tools written in Perl and using net-snmp-perl internally) after disabling SHA1.

      Please provide the package NVR for which the bug is seen:

      net-snmp-perl-5.8-32.el8_10

      How reproducible is this bug?

      Always

      Steps to reproduce

      1. Install packages 
        # yum -y install net-snmp net-snmp-perl
      2. Create v3 user 
        # net-snmp-create-v3-user -A redhat123 -a SHA-512 -x AES myrwuser
# systemctl restart snmpd
      3. Verify it works 
        # snmpwalk -v3 -l authNoPriv -A redhat123 -a SHA-512 -x AES -X redhat123 -u myrwuser localhost | head
SNMPv2-MIB::sysDescr.0 = STRING: Linux vm-netsnmpperl8 4.18.0-553.89.1.el8_10.x86_64 #1 SMP Sat Nov 29 00:49:18 EST 2025 x86_64
[...]
      4. Query the same with net-snmp-perl (script attached for convenience) 
        # ./test.pl

      Expected results (with the patch)

      # ./test.pl 
sysDescr 0 Linux vm-netsnmpperl8 4.18.0-553.89.1.el8_10.x86_64 #1 SMP Sat Nov 29 00:49:18 EST 2025 x86_64 OCTETSTR
sysObjectID 0 .1.3.6.1.4.1.8072.3.2.10 OBJECTID
sysUpTimeInstance  340 TICKS
sysContact 0 Root <root@localhost> (configure /etc/snmp/snmp.local.conf) OCTETSTR
[...]

      Actual results (without the patch)

      # ./test.pl 
error:snmp_new_v3_session:Unsupported authentication protocol(SHA512)
unable to create session at /usr/lib64/perl5/vendor_perl/SNMP.pm line 619.
Error creating session

        1. rhcase04340580.patch
          5 kB
          Renaud Métrich
        2. test.pl
          0.5 kB
          Renaud Métrich

              jridky Josef Řídký
              rhn-support-rmetrich Renaud Métrich
              Josef Řídký Josef Řídký
              Jakub Haruda Jakub Haruda
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: