Changelog

Release Meridian-2021.1.15

Release 2021.1.15 contains a number of security dependency updates.

While the dependency changes should not affect how the OpenNMS runtime works, this release contains a larger than usual number of changes to "plumbing" to facilitate these dependency updates. It is strongly recommended that you do more than the usual amount of testing before deploying this update to a production environment.

The codename for Meridian 2021.1.15 is Solar Orbiter.

Bug

  • CVE-2022-22965: Spring RCE in Data Bindings (Issue NMS-14134)

  • Upgrade groovy-all dependency (Issue NMS-14208)

  • make sure license-maven-plugin is re-enabled in foundation and release branches (Issue NMS-14217)

  • Upgrade jackson-mapper-asl dependency (Issue NMS-14252)

Release Meridian-2021.1.14

Release 2021.1.14 contains a number of bug fixes, as well as a few enhancements.

The codename for Meridian 2021.1.14 is BepiColombo.

Bug

  • Documentation for all pollers misses RRD config parameter (Issue NMS-11747)

  • Class not found exception in web.log for the GeocoderServiceManager (Issue NMS-13833)

  • Resolve SonarCloud High priority Security Hotspots (Issue NMS-14002)

  • Scriptd helpers ignore community setting (Issue NMS-14045)

  • Node availability > 100% in the dashboard (Issue NMS-14048)

  • Wrong wiki URL in debian installer (Issue NMS-14053)

  • Build from source documentation needs a minor correction (Issue NMS-14088)

  • Destination Path Edit Button fails when Name field is empty (Issue NMS-14111)

Enhancement

  • Switch to using a java e-mail library instead of system mail (Issue NMS-14015)

  • Misspelling in SystemExecuteMonitor error text (Issue NMS-14091)

  • relicense rancid-api to LGPL, change dependency to match (Issue NMS-14093)

Release Meridian-2021.1.13

Release 2021.1.13 contains a fix for a regression in graph viewing.

The codename for Meridian 2021.1.13 is Spektr-RG.

Bug

  • OpenNMS points to the wrong URL when trying to generate graphs (Issue NMS-14057)

Release Meridian-2021.1.12

Release 2021.1.12 contains mostly doc updates and bug fixes, including some small security-related changes.

The codename for Meridian 2021.1.12 is Cosmos 482.

Bug

  • opennms user credentials wrongly exposed (Issue NMS-12146)

  • Support → System Report exposes credentials in plain text (Issue NMS-13831)

  • Cross site scripting - Reflected (Issue NMS-13835)

  • TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability (Issue NMS-13845)

  • Password field with autocomplete enabled (Issue NMS-13847)

  • Web UI copyright year needs updating (Issue NMS-14037)

Enhancement

  • Releases should document third party libraries and their licenses (Issue NMS-14004)

  • Expand newts converter documentation (Issue NMS-14073)

  • Add TcpDetector documentation (Issue NMS-14074)

Release Meridian-2021.1.11

Release 2021.1.11 is a small release with a number of bug fixes, including a few security fixes related to Grafana PDF reports and Protobuf.

Thanks to Sahil Tikoo from Etisalat for reporting the Grafana endpoint issue.

A note about security issues: we have traditionally created CVEs in a pretty ad-hoc manner. We are in the process of formalizing how we’ll be doing so going into the future.

The codename for Meridian 2021.1.11 is Magellan.

Bug

  • config-tester doesn’t find malformed resourceTypes (Issue NMS-13723)

  • Event configuration UI fails to persist logmsg dest changes (Issue NMS-13729)

  • Outdated javascript library (Issue NMS-13848)

  • org.opennms.core.commands never got added to Karaf build (Issue NMS-13910)

  • grafana endpoint can be used to port-scan internal resources (Issue NMS-13917)

  • Minion fails to marshall requisition with JAXB error: Class [org.opennms.netmgt.model.PrimaryTypeAdapter] not found (Issue NMS-13927)

  • Unsynchronized access to service factories in TelemetryServiceRegistryImpl (Issue NMS-13961)

Enhancement

  • Split SNMP Property Extenders into multiple pages (Issue NMS-13760)

  • Upgrade protobuf-java version (Issue NMS-13889)

Release Meridian-2021.1.10

Release 2021.1.10 is a small release with another upgrade for Log4j2 as well as an NPE fix in the topology UI, plus some dependency updates in the web UI code.

It is not believed that we are vulnerable to the Log4j issues fixed in these newer releases, but are updating anyway just to be sure.

The codename for 2021.1.10 is Parker Solar Probe.

Bug

  • Customer is not able to view Topology (Issue NMS-13851)

  • Javascript security updates (December, 2021) (Issue NMS-13857)

  • CVE-2021-45105: Update to Log4j 2.17.0 (Issue NMS-13868)

  • upgrade to log4j2 2.17.1 and pax-logging 1.11.13/2.0.14 (Issue NMS-13878)

Enhancement

  • Minion Kafka docs missing reference to custom.system.properties (Issue NMS-13885)

Release Meridian-2021.1.9

Release 2021.1.9 is a re-release of 2021.1.8 with additional fixes relating to Log4j2 vulnerabilities.

The codename for 2021.1.9 is Venera 6.

Bug

  • CVE-2021-45046: incomplete Log4j2 vulnerability mitigation (Issue NMS-13858)

Release Meridian-2021.1.8

Release 2021.1.8 is an out-of-band release with a fix for the Log4j2 security issue, plus an enhancement to support exclude-url in discovery’s configuration.

The codename for 2021.1.8 is Cassini.

Bug

  • Log4j2 0-day: CVE-2021-44228 (Issue NMS-13850)

Enhancement

  • Update VMWare import documentation regarding multiple parameters (Issue NMS-9889)

  • Add "exclude-url" to Discoverd’s configuration (Issue NMS-13718)

Release Meridian-2021.1.7

Release 2021.1.7 contains a fix for a Jetty CVE, plus a number of bug fixes and small enhancements, including an update to fix a bug in user auth changes and enhancements to SNMPv3 auth and Trapd configuration.

The codename for 2021.1.7 is MOM 2.

Bug

  • Update labelling in Configure Discover screen (Issue NMS-12992)

  • Link to release notes in web Help / About needs updating (Issue NMS-13579)

  • Remove reference to DHCP plugin from docs (Issue NMS-13727)

  • Authorization changes not taking immediate effect (Issue NMS-13761)

  • Missing RRD package definition in BMP persisting adapter (Issue NMS-13812)

  • CVE-2021-28164: access to WEB-INF (Issue NMS-13832)

Enhancement

  • Support multiple auth params for same SNMPV3 username (Issue NMS-13490)

  • Dynamic Configuration of Trap Listener (Issue NMS-13564)

  • Document how to install from source (Issue NMS-13685)

  • Migrate Discovery settings from wiki into docs (Issue NMS-13730)

  • Remove link to wiki from the landing page (Issue NMS-13779)

Release Meridian-2021.1.6

Release 2021.1.6 contains a few enhancements and doc updates, plus a number of bug fixes including an XSS bug in the notification wizard.

The codename for 2021.1.6 is Chang’e 2.

Bug

  • The node and interface counters of the Evaluation Layer are incorrect (Issue NMS-13283)

  • EvaluationMetrics.log is contaminated with non-related metrics. (Issue NMS-13284)

  • The Info ReST endpoint is not showing the services status (Issue NMS-13437)

  • Reflected XSS in webapp notice wizard (Issue NMS-13496)

  • macOS Monterey: older OpenNMS branches do not start anymore (Issue NMS-13703)

  • related events box in alarm detail shows all events when alarm has no node / interface / service / ifindex (Issue NMS-13705)

Enhancement

  • Documentation for reloadable daemons (Issue NMS-12611)

  • Incorporate node related information to events and alarms topic in opennms-kafka-producer feature (Issue NMS-12778)

  • Show Link State when viewing links on the Enlinkd topology maps (Issue NMS-13619)

  • Topologies menu (Issue NMS-13622)

  • Check doc source for wiki links (Issue NMS-13688)

  • Add hint for time sync on OpenNMS components (Issue NMS-13724)

Release Meridian-2021.1.5

Release 2021.1.5 contains a number of bug fixes and enhancements, including web UI, Minion, Docker, and documentation improvements.

The codename for 2021.1.5 is Viking 1.

Bug

  • Strings with URL arguments are truncated in the eventdescr field (Issue NMS-13428)

  • Web-based SNMP config UI does not pass through proxy-host if a value is provided (Issue NMS-13512)

  • Add JVM option to the minion startup script (Issue NMS-13552)

  • missing fields in search autocomplete (Issue NMS-13518)

  • Signed Minion container bleeding image shows revision as meridian-foundation-2021.1.4-1-487 (Issue NMS-13587)

  • Meridian Minion images do not include release (Issue NMS-13591)

Enhancement

  • Document data types in collectd (Issue NMS-10476)

  • Update adapters documentation (Issue NMS-12999)

  • Move monitors docs to the Reference section (Issue NMS-13524)

  • Move detectors to reference section (Issue NMS-13525)

  • Move collectors to reference section (Issue NMS-13526)

  • Move telemetryd (streaming telemetry) to reference section (Issue NMS-13527)

  • Move ticketing docs to reference section (Issue NMS-13529)

  • Move provisioning policies to the reference section (Issue NMS-13562)

  • Publish Minion image for Meridian to DockerHub (Issue NMS-13567)

  • Backport docker content trust for signed images to meridian 2021 (Issue NMS-13568)

  • Backport confd support for minion config (Issue NMS-13573)

  • Geolocator Doc Clarification (Issue NMS-13611)

Release 2021.1.4 contains a number of bug fixes and enhancements, including a dependency update related to a CVE.

The codename for 2021.1.4 is Sputnik 19.

Release Meridian-2021.1.4

Bug

  • OpenNMS Admin Guide HostResourceSwRunMonitor service-name not exact match string (Issue NMS-8968)

  • Syslog messages missing nodelabel, location, and interface (Issue NMS-13485)

  • Bump Apache Ant version to 1.10.11 (CVE-2021-36373, CVE-2021-36374) (Issue NMS-13509)

Enhancement

  • Update Provisiond Docs (Issue NMS-13446)

  • Update table formatting in docs. (Issue NMS-13472)

  • Migrate VMware config from wiki to docs (Issue NMS-13473)

  • Use Karaf shell commands to secure Minion SSH Karaf access (Issue NMS-13511)

  • Reformat tables (again) (Issue NMS-13515)

Release Meridian-2021.1.3

Release 2021.1.3 contains a bunch of bug fixes and enhancements, plus a few security updates, notably a fix for a Jetty CVE.

The codename for 2021.1.3 is MESSENGER.

Bug

  • The Dev Documentation doesn’t have information about the Hardware Inventory (Issue NMS-11730)

  • Admin guide still uses deprecated term "provisioning group" in places (Issue NMS-12373)

  • OutOfMemory issue on Minion ( corner case related to Offheap) (Issue NMS-13405)

  • The PageSequenceMonitor keys host and virtual-host are confusing (Issue NMS-13412)

  • Jetty 9.4.38 security issues CVE-2021-28164, CVE-2021-34428 and CVE-2021-28169 (Issue NMS-13449)

  • Optimize node cache refresh to be non-blocking to flow data (Issue NMS-13481)

  • Reflected XSS in webapp notice wizard (Issue NMS-13496)

  • Reflected XSS in scheduled outage editor (Issue NMS-13498)

Enhancement

  • Add missing Prometheus collectd example in our documenation (Issue NMS-12978)

  • Table formatting issue in new docs (Issue NMS-13364)

  • Hardware Inventory Plugin needs docs (Issue NMS-13370)

  • Doc typos - improper character escaping (Issue NMS-13448)

  • Update table formatting in collectors section of docs (Issue NMS-13456)

Release Meridian-2021.1.2

Release 2021.1.2 contains a bunch of bug fixes and enhancements, plus a few security updates.

The codename for 2021.1.2 is Ulysses.

Bug

  • SNMP collection failing for "interface label is null or blank" (Issue NMS-11764)

  • Meridian installation guide is incomplete (Issue NMS-13294)

  • Default Debian instructions don’t work on a minimal install (Issue NMS-13355)

  • CVE-2020-13956: Update commons-httpclient to 4.5.13 (Issue NMS-13360)

  • CVE-2017-5929: bump logback-classic version to latest (Issue NMS-13361)

  • Update images chapter in docs remove two chapters (Issue NMS-13371)

  • Package diffutils is missing in Docker image (Issue NMS-13429)

Enhancement

  • Incorporate node related information to events and alarms topic in opennms-kafka-producer feature (Issue NMS-12778)

  • Expand PageSequenceMonitor Documentation (Issue NMS-13260)

  • Publish minion config schema (Issue NMS-13285)

  • update WMI dependencies (Issue NMS-13320)

  • Expand Sink API Documentation (Issue NMS-13328)

  • Add out-of-band monitoring content to main user documentation (Issue NMS-13330)

  • Create DnsDetector docs (Issue NMS-13338)

  • Create FtpDetector docs (Issue NMS-13339)

  • Create HostResourceSWRunDetector docs (Issue NMS-13340)

  • Setup DCT keys for the OpenNMS and OpenNMS-Forge organizations (Issue NMS-13345)

  • Implement Kafka Consumer for events (protobuf) (Issue NMS-13362)

  • Allow setting java heap minimum and maximum values in opennms.conf (Issue NMS-13367)

  • Misc documentation fixes (Issue NMS-13426)

Release Meridian-2021.1.1

Release 2021.1.1 contains a number of small bug fixes and a few enhancements.

The codename for 2021.1.1 is ACE.

Bug

  • Race condition when enabling the Situations Feedback feature (Issue NMS-12767)

  • IP interface link in Response Time graph page is broken (Issue NMS-13158)

  • Mark OIA Implementation for Timeseries as experimental (Issue NMS-13281)

  • Meridian installation guide is incomplete (Issue NMS-13294)

  • Validate query parameters in snmpInterfaces.jsp (Issue NMS-13308)

  • Validate name parameter in DestinationWizardServlet (Issue NMS-13309)

  • CLONE - DOC Branding: Icon in tab is still the old one (Issue NMS-13329)

Enhancement

  • Incorrect reference to org.opennms.netmgt.syslog.cfg (Issue NMS-13223)

  • Update conventions for text formatting (Issue NMS-13336)

  • Location aware Requisitions from DNS (Issue NMS-13278)

Release Meridian-2021.1.0

Release 2021.1.0 is the first in the Meridian 2021 series, based on Horizon 27.

The codename for 2021.1.0 is Perseverance.

Bug

  • Not possible to define notification parameters via "Configure notifications" UI (Issue NMS-8581)

  • Race condition on ALEC’s config bundle after installation (Issue NMS-12766)

  • Add a warning when enabling forwarding metrics through the Kafka Producer (Issue NMS-13039)

  • Reflected XSS reported 2021-03-31 (update summary after disclosure) (Issue NMS-13229)

  • Backport Security Issues from Last Month (Issue NMS-13231)

  • vmware integration connection pool not expiring connections (Issue NMS-13234)

  • Cleared alarms with closed ticket state not removed when using a hybrid approach (Issue NMS-13237)

  • Update Vaadin dependencies (Issue NMS-13261)

Enhancement

  • Migrate OpenNMS core docs to Antora (Issue NMS-12497)

  • Overview chapter (Issue NMS-12670)

  • Create Win32ServiceDetector documentation (Issue NMS-13074)

  • Create WmiDetector documenation (Issue NMS-13075)

  • Create BgpSessionDetector documentation (Issue NMS-13076)

  • Enable Single topic by default for Kafka RPC (Issue NMS-13104)

  • Re-enable Kafka RPC Single Topic By Default (Issue NMS-13184)

  • Update Help page with doc links in the Web UI (Issue NMS-13225)

  • Admin Guide Newts Instructions Incomplete (Issue NMS-13242)

  • Minion - Meridian Installation Documents Incorrect (Issue NMS-13247)

  • Provide documentation for context-sensitive help in UI form (Issue NMS-13255)