Security update: Mandatory GPG key rotation for Meridian and Horizon

In the wake of the CircleCI breach, we have been reviewing policies and updating keys and tokens used in our automation for anything that could potentially be affected. While we have no evidence of any of specific credentials being leaked, we've needed to document procedures for rotating keys anyway, so now was the perfect time to [...]

By |2023-03-13T15:33:33+00:00February 13th, 2023|

2022 Cybersecurity Awareness Month

October’s Cybersecurity Awareness Month seems like a great time to discuss the improvements we are making at The OpenNMS Group to improve our security practices. For almost 20 years, OpenNMS staff developers and the open source contributor community have partnered to create robust and secure network monitoring platforms available in community-driven (Horizon) and enterprise-ready (Meridian) distributions.. [...]

By |2023-02-13T21:35:27+00:00October 27th, 2022|

OpenNMS is now a CNA!

The security team at The OpenNMS Group has partnered with MITRE to become a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA). Through the CVE program, MITRE ensures that application vulnerabilities are uniquely identified and accurately reported. As a numbering authority, The OpenNMS Group security team will assign numbers to vulnerabilities and exposures identified within our [...]

By |2023-02-13T21:35:36+00:00August 30th, 2022|

OpenNMS + SpringShell CVE-2022-22965

OpenNMS and the Spring Core Remote Code Execution Vulnerability (SpringShell) CVE-2022-22965A serious remote code execution (RCE) vulnerability exists in some versions of the Spring Framework, which is used by OpenNMS Meridian and Horizon. OpenNMS Meridian and Horizon are not known to be vulnerable because the published exploit for this RCE requires: All Attributes Required for [...]

By |2023-02-13T21:37:31+00:00April 1st, 2022|

The OpenNMS Group Releases OpenNMS Meridian 2022 with Enhanced Network Monitoring and Security Capabilities

Updates to Meridian 2022 underscore OpenNMS’ commitment to security and investment in ongoing penetration testing efforts RALEIGH, N.C. – March 31, 2022 – The OpenNMS Group, Inc., a subsidiary of NantHealth, Inc. (NASDAQ: NH), today announced the release of OpenNMS Meridian 2022. With this next major release, the fully open source Meridian product, which is the [...]

By |2023-02-13T21:36:04+00:00March 31st, 2022|

CVE-2021-3396: Full Security Disclosure

OpenNMS Security Issue Requires Immediate Upgrade The OpenNMS Group recently learned about and fixed a security vulnerability that allowed local and remote code execution as an authenticated user via a custom, targeted JEXL expression. Thank you to Artem Smotrakov for notifying us of this issue. CVE-2021-3396 applies to the following: Meridian-2016.1.0 - Meridian-2016.1.24 Meridian-2017.1.0 - Meridian-2017.1.26 [...]

By |2023-02-13T21:36:58+00:00February 16th, 2021|

CVE-2021-3396: OpenNMS Security Vulnerability (Please Update)

We recently learned about a security issue with OpenNMS. Please refer to CVE-2021-3396 for more information. To protect everyone using OpenNMS from an exploitation of this vulnerability, the CVE will not provide full details of the vulnerability until Tuesday, February 16, 2021. This should provide time to upgrade your system before full public disclosure. This issue [...]

By |2023-02-13T21:36:58+00:00February 10th, 2021|

Recent Security Fix and Our Security Process

No one wants to have a security vulnerability, particularly with network management software, where the consequences could be serious. Find out how OpenNMS deals with reported security issues when they arise.

By |2023-02-13T21:36:58+00:00May 12th, 2020|
Go to Top