OpenNMS and the Spring Core Remote Code Execution Vulnerability (SpringShell) CVE-2022-22965

A serious remote code execution (RCE) vulnerability exists in some versions of the Spring Framework, which is used by OpenNMS Meridian and Horizon. OpenNMS Meridian and Horizon are not known to be vulnerable because the published exploit for this RCE requires:

All Attributes Required for Exploit Use by OpenNMS Meridian/Horizon Vulnerable?
JDK 9 or higher JDK 11+ Yes
Apache Tomcat as the Servlet container Not applicable. OpenNMS uses Jetty No
Packaged as WAR OpenNMS uses WAR files (unpacked) Unlikely
spring-webmvc or spring-webflux dependency OpenNMS uses spring-webmvc Yes

OpenNMS Meridian and Horizon are not known to be vulnerable because they do not have all of the attributes required for exploitation, as confirmed by the simple test documented here. However, Spring is at the core of OpenNMS, and the affected introspection cache is at the core of Spring, so it is likely that new attack vectors for the exploit will be found. We are working proactively to update Meridian and Horizon's use of the Spring Framework to reduce risk. We will post updates as they become available.

Recommendations

  • Upgrade to Meridian 2022 or Horizon 29, which now run without "root" (administrator) privileges, reducing the risk impact of an RCE attack.
  • Watch the OpenNMS blog and Discourse posts for updates on this issue.

References