OpenNMS, the widely used open source network monitoring software, has recently addressed a high-severity vulnerability that affects both its community-supported and subscription-based versions. This vulnerability, known as XML external entity (XXE) injection, allows attackers to extract data from the OpenNMS file server system and launch arbitrary HTTP requests to internal and external services, as well as trigger denial-of-service attacks on affected systems.
The security flaw, named CVE-2023-0871, was initially discovered by researchers from Synopsys in June. They promptly reported the vulnerability to the maintainers of OpenNMS, who have since released a patch to mitigate the issue. The impact of CVE-2023-0871 extends to both Meridian and Horizon, the subscription-based and community-supported versions of the OpenNMS network monitoring platform. Notably, this platform is trusted by industry giants such as Cisco, GigaComm, and Savannah River Nuclear Solutions (SRNS), along with other critical infrastructure sectors highlighted by CISA (Cybersecurity and Infrastructure Security Agency).
OpenNMS is widely adopted by organizations for monitoring local and distributed networks, encompassing tasks such as performance management, traffic monitoring, fault detection, and alarm generation. This Java-based platform supports the monitoring of physical and virtual networks, applications, servers, business performance indicators, and custom metrics.
The vulnerability in question, CVE-2023-0871, arises from a permissive XML parser configuration, which makes the parser susceptible to XML external entity attacks. A permissive XML parser configuration allows the referencing of external files and URLs within XML, a characteristic exploited by XXE vulnerabilities. By leveraging the default credentials for the Realtime Console (RTC) REST API, an attacker can manipulate trusted XML data to interfere with the application’s processing. This manipulation then opens avenues for compromising other physical and virtual systems, viewing files on the vulnerable app’s system, or launching HTTP requests to other systems through Server-Side Request Forgery (SSRF).
According to the OpenNMS project, the vulnerability affects OpenNMS Horizon 31.0.8 and versions prior to 32.0.2 on multiple platforms. To mitigate the risk, organizations utilizing affected versions of the software are strongly advised to update to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38, or Horizon 32.0.2 or newer. Moreover, organizations are strongly discouraged from making OpenNMS directly accessible over the internet and should ensure its installation and usage is limited to an internal network.
While adherence to OpenNMS’ recommendation significantly reduces the likelihood of successful attacks, it is important to note that the vulnerability remains critical. If exploited, it can lead to system compromise. It is worth highlighting that this is not the only vulnerability discovered in OpenNMS this year. Researchers have also identified CVE-2023-0870, a cross-site request forgery flaw, and CVE-2023-0846, an unauthenticated, cross-site scripting vulnerability, in multiple versions of OpenNMS Horizon and Meridian.
Addressing and promptly patching vulnerabilities like CVE-2023-0871 is crucial for maintaining the security and trustworthiness of open source software such as OpenNMS. Users should remain vigilant and ensure that their installations are always up to date with the latest patches to protect their systems from potential attacks.