The security team at The OpenNMS Group has partnered with MITRE to become a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA). Through the CVE program, MITRE ensures that application vulnerabilities are uniquely identified and accurately reported. As a numbering authority, The OpenNMS Group security team will assign numbers to vulnerabilities and exposures identified within our [...]
Since last time, we worked on documentation (database reports, external auth, the glossary, GraphML, Helm flows, installation, logging, performance data, OIA, poller threads, provisioning, SCV, and the SnmpCollector), CI/CD for Horizon and Horizon Stream, Lombok, Kafka alarm sync, `stress-metrics`, inventory management in Stream, SNMP OPAQUE types, GRPC, Docker multi-arch support, Topology, Flow Elasticsearch support, Stream persistence, bridge topology, PostgreSQL credential encryption, time-series metric deduplication, Keycloak login, requisition metadata editing, ALEC web UI and training API, heatmaps.
OpenNMS and the Spring Core Remote Code Execution Vulnerability (SpringShell) CVE-2022-22965A serious remote code execution (RCE) vulnerability exists in some versions of the Spring Framework, which is used by OpenNMS Meridian and Horizon. OpenNMS Meridian and Horizon are not known to be vulnerable because the published exploit for this RCE requires: All Attributes Required for [...]
OpenNMS Security Issue Requires Immediate Upgrade The OpenNMS Group recently learned about and fixed a security vulnerability that allowed local and remote code execution as an authenticated user via a custom, targeted JEXL expression. Thank you to Artem Smotrakov for notifying us of this issue. CVE-2021-3396 applies to the following: Meridian-2016.1.0 - Meridian-2016.1.24 Meridian-2017.1.0 - Meridian-2017.1.26 [...]
We recently learned about a security issue with OpenNMS. Please refer to CVE-2021-3396 for more information. To protect everyone using OpenNMS from an exploitation of this vulnerability, the CVE will not provide full details of the vulnerability until Tuesday, February 16, 2021. This should provide time to upgrade your system before full public disclosure. This issue [...]
From fringe to mainstream, and other thoughts on 20 years of OpenNMS, with Tarus Balog (COO) and David Hustace (CEO) of The OpenNMS Group.