Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-40312: Changelog

Multiple reflected XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that an attacker can modify to craft a malicious XSS payload. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization’s private networks and should not be directly accessible from the Internet. OpenNMS thanks Jordi Miralles Comins for reporting this issue.

CVE
#xss#web#apache#js#java#perl#ssh#docker

Horizon 32 features a slew of bug fixes and a number of major improvements, most notably the introduction of JDK17 support, and a major uplift in the Newts backend.

Enhancement

  • Add lldpRemLocalPortNum in LldpLink Table (Issue NMS-7775)

  • dependabot: JasperReports from 6.3.0 to 6.20.0 (Issue NMS-14588)

  • Enhanced Linkd supports Network-Routers Map (Issue NMS-14678)

  • Destination Path Test Button (Issue NMS-14692)

  • Node Properties REST endpoint doesn’t include asset location data (Issue NMS-14785)

  • fix/re-merge additional changes to password validation (Issue NMS-14898)

  • Provide a method to verify topology capability (Issue NMS-14909)

  • Special-case CounterBasedGauge64 in MIB compiler (Issue NMS-15210)

  • Remove contrib from OpenNMS (Issue NMS-15268)

  • Upgrade Groovy to 3.x (Issue NMS-15315)

  • Create an Apache mina-sshd based ssh client service poller. (Issue NMS-15431)

  • Add a method for finding and clearing alarms by TTicketID to OPA’s AlarmDAO (Issue NMS-15439)

  • Upgrade Spring Security (Issue NMS-15506)

  • Doc: PersistRegexSelectorStrategy only works on string attributes (Issue NMS-15595)

  • Enable AmbientCapabilities=CAP_NET_RAW CAP_NET_BIND_SERVICE in shipped opennms.service systemd file (Issue NMS-15596)

  • Remove legacy lsb info from Minion initialization script (Issue NMS-15604)

  • Asynchronous polling engine (Issue NMS-15623)

  • Update documentation (or implementation) for newer Slack API (Issue NMS-15652)

  • Make usage statistics sharing notice dialog non-modal (Issue NMS-15677)

  • Docs: Add info about XSLT to XmlCollector (Issue NMS-15693)

  • Doc: Update DNS provisioning import adapter docs (Issue NMS-15694)

  • KSC report “details” should go directly to the related graph, rather than “all” (Issue NMS-15711)

  • Add more collection for selfmonitor node out of box (Issue NMS-15742)

Task

  • TrivialTimeMonitor & detector (Issue NMS-11063)

  • Rework NMS0123EnIT test (Issue NMS-14743)

  • Multiple CVEs for Axis 1.4 (Issue NMS-15061)

  • Make test for Admin page footer Copyright year (Issue NMS-15220)

  • Fix coverage test containers after we resolve NMS-15401 (Issue NMS-15444)

  • Poll Status History: Enable Poll Status RRD for all services (Issue NMS-15641)

  • Poll Status History: Change documentation to reflect the changes (Issue NMS-15642)

  • Poll Status History: Add RRD graph definitions for all services in a default poller-configuration.xml (Issue NMS-15643)

  • Document async polling settings (Issue NMS-15680)

  • Update docs to capture additional details on BMP config (Issue NMS-15713)

  • Tweak usage statistics sharing notice copy (Issue NMS-15740)

  • Call out usage statistics consent changes in Horizon 32.0.0 release notes (Issue NMS-15796)

Bug

  • Multiple OpenNMS feature stop working when the Events Forwarder cannot push content to Elasticsearch (Issue NMS-13019)

  • rest api wrong LinkdTopologyProvider graphs (Issue NMS-14329)

  • Inconsistent references to JMXCollect/Monitor for “password-clear"/"password_clear” (Issue NMS-14884)

  • Docker images for Horizon 30.0.4 and later no longer have an editor or a modern pager (Issue NMS-14946)

  • CVE-2014-2228 for org.restlet 1.1.10 (Issue NMS-15193)

  • Page footer missing from Feather / Vue UIs (Issue NMS-15262)

  • Dead transaction in flow thresholding on sentinel (Issue NMS-15340)

  • Event Datetime element parsing changed between M2018 and M2021 (Issue NMS-15471)

  • Backshift graph’s Data tab shows incorrect / phantom data when using STACK (Issue NMS-15495)

  • Status Overview box calculation included the alarms and outages from nodes outside of the assigned categories (Issue NMS-15526)

  • When upgrading Minion from an older version on RHEL based systems, the service file doesn’t point to the main installation, but rather to /etc/init.d/minion which doesn’t exist (Issue NMS-15600)

  • When upgrading Sentinel from an older version, the service file doesn’t point to the main installation, but rather to /etc/init.d/sentinel which doesn’t exist (Issue NMS-15601)

  • send-events-to-elasticsearch karaf command passes username/password in reverse (Issue NMS-15638)

  • Doc: File name syslog-grok-patterns.txt is wrong (Issue NMS-15684)

  • Stop packaging activemq-web-console.war (Issue NMS-15686)

  • Database deadlock caused by JdbcFilterDao (Issue NMS-15696)

  • Karaf SSH locks up if connections are terminated improperly (Issue NMS-15714)

  • Vue menubar logo link should go to ‘homeUrl’ (Issue NMS-15721)

  • https redirection is partially broken (Issue NMS-15732)

  • Startup taking > 10 minutes on fresh 32.0.0-SNAPSHOT builds (Issue NMS-15751)

  • Docs need updating to include support for Kafka 3 (Issue NMS-15777)

  • Add /usr/lib64/jvm to find-java.sh search paths (Issue NMS-15784)

Research

  • Investigate using trivy to scan containers (Issue NMS-14781)

Story

  • New REST endpoint provides textual description given a top-level usage statistics KPI key name (Issue NMS-15476)

  • Data choices modal dialog removed from first admin user login (Issue NMS-15478)

  • New usage statistics sharing notice dialog (Issue NMS-15479)

  • Usage Statistics Sharing UI (Issue NMS-15481)

  • Data Choices link removed in favor of Usage Statistics Sharing UI (Issue NMS-15482)

  • Data Choices modal dialog removed entirely (Issue NMS-15483)

  • Fresh installs assume usage statistics sharing consent (Issue NMS-15485)

  • Usage statistics sharing UI includes control to revoke sharing consent (Issue NMS-15486)

  • Docs explicitly state that statistics sharing consent is assumed and how to revoke it (Issue NMS-15490)

  • Official documentation describes how to uninstall and block “datachoices” feature (Issue NMS-15491)

  • Existing opted-out installs stay opted out of usage statistics sharing (Issue NMS-15492)

  • Existing opted-out installs never show the Sharing Notice Dialog (Issue NMS-15493)

  • Existing opted-out install Usage Statistics Sharing UI behaves like a revoked install (Issue NMS-15494)

  • Upgrade to Newts 3.0.0 (Issue NMS-15514)

  • Native support for Holt-Winters forecast (no dep on R) (Issue NMS-15622)

  • Review and adjust default and example startup settings (Issue NMS-15635)

New Feature

  • update opennms build and runtime to support JDK17 (Issue NMS-15609)

Related news

GHSA-chgr-j2p9-jjh8: OpenNMS vulnerable to Cross-site Scripting

Multiple reflected XSS were found on different JSP files with unsanitized parameters in OpenNMS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that an attacker can modify to craft a malicious XSS payload. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Jordi Miralles Comins for reporting this issue.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907