The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: CVE-2023-0871 Vulnerability in OpenNMS Horizon

Black Duck Editorial Staff

Aug 15, 2023 / 1 min read

Overview

The Black Duck Cybersecurity Research Center (CyRC) has discovered CVE-2023-0871, an XML external entity injection vulnerability, in OpenNMS Horizon.

OpenNMS is a Java language open source network monitoring platform. The OpenNMS platform monitors some of the largest networks in the Fortune 500, covering the healthcare, technology, energy, finance, government, education, retail, and industrial sectors, many with tens of thousands of networked devices.

OpenNMS comes in two open source distributions: Horizon (community release) and Meridian (enterprise release) with the AGPLv3 license. Additional components enhance the platform with distributed network monitoring (Minion), scalability (Sentinel), and scalable data persistence (Newts).

CVE-2023-0871

Due to a permissive XML parser configuration, the application is vulnerable to XML External Entity injection.

Exploitation

When sending a malicious HTTP request with XML payload, it is possible to exfiltrate files from the OpenNMS server file system or cause denial of service. The vulnerable HTTP endpoint requires user credentials for users with the role RTC.

Affected software

  • OpenNMS Horizon 0.8 and earlier versions

Impact

Exploitation of this vulnerability would lead to

  • Data leakage (XXE: blind local file inclusion)
  • Denial of service
  • Server-side request forgery (sending arbitrary HTTP requests to internal and external services)

CVSS Base Score: 8.8 (High)

CVSS 3.1 Vector:  AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

The data leakage is limited to textual files the application process is permitted to read, with one line of text.

Remediation

This vulnerability was fixed in the Horizon 32.0.2 and Meridian 2023.1.6 releases.

Discovery credit

This vulnerability was discovered by a Black Duck software engineer, Moshe Apelbaum from Israel using the Seeker® Interactive Application Security Testing (IAST) tool.

Timeline

  • June 22: Initial disclosure and confirmation of receipt
  • August 1: OpenNMS confirms patch finalized
  • August 9: OpenNMS releases patch
  • August 15: Black Duck publishes advisory

About CVSS

FIRST.Org, Inc (FIRST) is a non-profit organization in the US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.

Continue Reading

Explore Topics