OpenNMS On the Horizon – CVE-2021-3396 JEXL Vulnerability, Nephron, Flows, Config API, JDK11, Docs, CDP/LLDP Search, QoS/ToS in Helm, BMP

In the last week we disclosed a JEXL vulnerability, did more bug fixing, updated Nephron and flow handling, worked on a new configuration API, did more JDK 11 updates, more documentation fixups, CDP/LLDP searching, QoS/ToS improvements, OpenBMP migration, and more.

Github Project Updates

Internals, APIs, and Documentation

• Newts got a new release with some small changes to JEXL expression handling.
• Jane did some more fixes to Vacuumd.
• Chandra backported his SNMPv3 encryption feature to foundation-2020.
• Stefan made some fixes in Nephron's tests.
• Patrick continued his work on a more modern API for configuration handling.
• Jesse did more work on getting OpenNMS building under JDK 11, including working on migrating our old Mina code to Netty.
• Bonnie did some more work on documentation updates for the Antora transition.
• Chandra continued his work on migrating our OpenBMP integration to an in-core feature.
• Christian made some test improvements for daemon reloading.

Web, ReST, UI, and Helm

• I added support for viewing currently running services in the /info ReST API, as well as displaying them in the web UI sysconfig page.
• I fixed a bug editing existing scheduled reports where the timezone could revert back to the default (browser) zone.
• Stefan did more work on QoS/ToS support in Helm.
• Christian added support for searching nodes by CDP/LLDP info.

Contributors

Thanks to the following contributors for committing changes since last OOH:

• Benjamin Reed
• Bonnie Robinson
• Chandra Gorantla
• Christian Pape
• Dustin Frisch
• Jane Hou
• Jesse White
• Matthew Brooks
• Patrick Schweizer
• Ronny Trommer
• Stefan Wachter

CVE-2021-3396: JEXL Security Vulnerability

A potential local and remote code execution vulnerability has been discovered in OpenNMS and Newts relating to JEXL expression handling in a number of subsystems.

If you have not already upgraded to the latest Horizon or Meridian 2018/2019/2020 release, we recommend doing so immediately.

The following subsystems are affected:

• OpenNMS Measurements API (ReST Queries and Filters)
• OpenNMS Provisiond (IP address matching)
• OpenNMS JMX Monitor
• OpenNMS Thresholding
• opennms:stress-events Karaf command (events:stress on older releases)
• OpenNMS Database Reports sub-report rendering
• OpenNMS Storage strategies: JEXL Index and Object Name
• Newts web API

The full disclosure is available on our website and has been submitted to the Mitre CVE database at CVE-2021-3396 and should be updating soon. Thanks go to Artem Smotrakov for tipping us off on this JEXL vulnerability.

Off-Schedule Release: Horizon 27.0.5

A bug was found in metadata handling in Provisiond that was introduced in 27.0.4 which could cause re-scans of existing nodes to fail. It was determined to be high-enough impact that we went ahead and made an off-schedule Horizon release.

27.0.5 contained only the fix for the metadata-handling, and a fix for hostname lookups when in the flow API.

Release Roadmap

March Releases

The next OpenNMS release day is March 2nd, 2021.

Currently we expect a new Horizon release.

Next Horizon: 28 (Q1 2021)

The next major Horizon release will be Horizon 28.
It is currently expected to be released during the March release cycle.

It will primarily contain enhancements to flow processing to handle ToS/QoS (DSCP) aggregation, as well as a refactor of our BGP Monitoring Protocol support to bring it in-core, rather than relying on an external OpenBMP instance.

Next Meridian: 2021 (Q2 2021)

With the recent release of Meridian 2020, plans are still tentative.
However, the current plan is that Meridian 2021 will be based on Horizon 28.

We'll know more once development plans start to firm up.

Disclaimer

Note that this is just based on current plans; dates, features, and releases can change or slip depending on how development goes.

The statements contained herein may contain certain forward-looking statements relating to The OpenNMS Group that are based on the beliefs of the Group’s management as well as assumptions made by and information currently available to the Group’s management. These forward-looking statements are, by their nature, subject to significant risks and uncertainties.

...We apologize for the excessive disclaimers. Those responsible have been sacked.

Mynd you, møøse bites Kan be pretti nasti...

We apologise again for the fault in the disclaimers. Those responsible for sacking the people who have just been sacked have been sacked.

Until Next Time…

If there’s anything you’d like me to talk about in a future OOH, or you just have a comment or criticism you’d like to share, don’t hesitate to say hi.

- Ben

Resolved Issues Since Last OOH

• HELM-264: Selected time range is not considered when determining some variable options
• NMS-12884: Vacuumd throws NullPointer Exception on startup
• NMS-12953: Get dashboards from OpenBMP working
• NMS-13064: Timezone and Grafana Dashboard fields not preserved when editing a scheduled report
• NMS-13098: Fix NPE in Vaccumd
• NMS-13109: Vmware-importer requisition meta-data lost at import
• NMS-13118: unable to add node/interface meta-data through requisition ui
• NMS-13128: Provisioning stopped working after upgrade to 27.0.4