OpenNMS Security Issue Requires Immediate Upgrade

The OpenNMS Group recently learned about and fixed a security vulnerability that allowed local and remote code execution as an authenticated user via a custom, targeted JEXL expression.

Thank you to Artem Smotrakov for notifying us of this issue.

CVE-2021-3396 applies to the following:

  • Meridian-2016.1.0 - Meridian-2016.1.24
  • Meridian-2017.1.0 - Meridian-2017.1.26
  • Meridian-2018.1.0 - Meridian-2018.1.24
  • Meridian-2019.1.0 - Meridian-2019.1.15
  • Meridian-2020.1.0 - Meridian-2020.1.4
  • Horizon 16.0.0 - Horizon 27.0.3
  • Newts: all versions < 1.5.3

OpenNMS Meridian and Horizon users should review the CVE and upgrade to the latest OpenNMS version as soon as possible. Anyone using Meridian 2018, 2019, or 2020 should upgrade to the latest point release for their version. If you are using an earlier version, you should upgrade to the latest 2018, 2019, or 2020.

Impact
CVSS Score: 8.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:O/RC:C)

  • Code Execution
  • Information Disclosure

Affected components
This security vulnerability can affect the following components:

  • OpenNMS Measurements API (ReST queries and filters)
  • OpenNMS Provisiond (IP address matching)
  • OpenNMS JMX monitor
  • OpenNMS thresholding
  • opennms:stress-events Karaf command (events:stress on older releases)
  • OpenNMS database reports sub-report rendering
  • OpenNMS storage strategies: JEXL index and object name
  • Newts web API