Changelog
Release Meridian-2022.1.29
Release Meridian-2022.1.24
Release 2022.1.24 contains one small enhancement to aid in debugging.
The codename for Meridian 2022.1.24 is Telescopium.
Enhancement
-
Add debug logging to SNMP Property Extenders on match failure (Issue NMS-15743)
Release Meridian-2022.1.23
Release 2022.1.23 contains a few small bug fixes.
The codename for Meridian 2022.1.23 is Triangulum.
Release Meridian-2022.1.21
Release 2022.1.21 contains a fix for a login page issue when using pre-authentication, and a fix for a bug in the Sentinel fix-permissions
script.
The codename for Meridian 2022.1.21 is Hercules.
Release Meridian-2022.1.20
Release 2022.1.20 contains a few security fixes, as well as a couple other small improvements.
The codename for Meridian 2022.1.20 is Taurus.
Bug
-
Prevent Angular evaluation of strings enclosed by two curly braces in non-Angular form-fields and output (Issue NMS-15504)
-
Polling fails when rrd-status is set to true (Issue NMS-15806)
-
Back-port Angular evaluation prevention in non-Angular fields to foundation-2020 (Issue NMS-16052)
-
Prevent Invalid Node Filter Search from revealing SQL query (Issue NMS-16057)
-
Update Instrumentation Log Reader to parse IPv6 addresses (Issue NMS-16114)
Release Meridian-2022.1.19
Release 2022.1.19 contains several important security fixes, one fix for a potential DOS vulnerability, and two general bugfixes.
Thanks to the following researchers for responsibly disclosing security issues in this release:
-
Jordi Miralles reported issue NMS-15703, NMS-15782, and NMS-15783.
-
OSS Fuzz reported issue NMS-15877.
The codename for Meridian 2022.1.19 is Corona Australis.
Bug
-
backport fixes from Spring Security 5.x to custom Spring Security 4.2.20.RELEASE (Issue NMS-15663)
-
ROLE_REST can be used to escalate to ROLE_ADMIN via /rest/users (Issue NMS-15703)
-
Stored XSS in multiple JSP files in opennms/opennms (Issue NMS-15782)
-
Reflected XSS in multiple JSP files in opennms/opennms (Issue NMS-15783)
-
CVEs for postgresql JDBC driver 42.2.18 (Issue NMS-15861)
-
OpenNMS Search Bar does not retrieve nodes without foreignsource and foreignid (Issue NMS-16030)
-
Error on startup with Invalid CEN header exception (Issue NMS-16034)
Enhancement
-
Disable BeanShell interpreter remote server mode (Issue NMS-15793)
Release Meridian-2022.1.18
Release 2022.1.18 contains a few general bug fixes.
The codename for Meridian 2022.1.18 is Fornax.
Release Meridian-2022.1.17
Release 2022.1.17 contains one CVE-related security fix, a handful of general bug fixes, and a couple of small enhancements.
The codename for Meridian 2022.1.17 is Centaurus.
Breaking changes
-
This release has moved to a newer major version of Spring Security to address a number of CVEs, which necessitated changes to the
$OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml
file, so if you have modified this file in your installs, be sure to note your changes so you can re-apply them to the updated version. -
The script
$OPENNMS_HOME/bin/install
checked whether$myser
equals$RUNAS
before sourcing$OPENNMS_HOME/etc/opennms.conf
, which caused startup to fail every time unless the script were run as root; if you have patched that file on your system, watch out for a.rpmsave
or.dpkg-new
file.
Task
-
Multiple CVEs for Axis 1.4 (Issue NMS-15061)
Bug
-
eventd does not validate its configuration before reloading in response to a reloadDaemonConfig event (Issue NMS-15289)
-
Fixing typo for event uei.opennms.org/internal/schedOutagesChanged (Issue NMS-15421)
-
Event Datetime element parsing changed between M2018 and M2021 (Issue NMS-15471)
-
Backshift graph’s Data tab shows incorrect / phantom data when using STACK (Issue NMS-15495)
-
install script checks for equality of myuser and RUNAS before sourcing opennms.conf (Issue NMS-15610)
-
send-events-to-elasticsearch karaf command passes username/password in reverse (Issue NMS-15638)
-
backport spring-security updates from NMS-15506 to Meridian 2020 (Issue NMS-15662)
-
Meridian Minion 2023 and 2022 installation docs for RHEL 8/9 use the repo URL for 2021/rhel8 (Issue NMS-15665)
-
Doc: File name syslog-grok-patterns.txt is wrong (Issue NMS-15684)
-
Stop packaging activemq-web-console.war (Issue NMS-15686)
-
Database deadlock caused by JdbcFilterDao (Issue NMS-15696)
Release Meridian-2022.1.16
Release 2022.1.16 contains three security vulnerability fixes, a handful of other bug fixes, and one small enhancement to the startup scripts.
The codename for Meridian 2022.1.16 is Vela.
Bug
-
POW Arithmetic Operator Does not work with Backshift Graphing Engine (Issue NMS-14779)
-
Cacheable HTTPS Responses - Cache Control Directive Missing or Misconfigured (Issue NMS-14936)
-
Plaintext Password Present in the Web logs (Issue NMS-15305)
-
Syslog Northbounder maxMessageSize config option is not used (Issue NMS-15606)
-
Jetty CVE-2023-26048/CVE-2023-26049 (Issue NMS-15612)
-
Update to latest groovy 2.x (Issue NMS-15633)
-
$OPENNMS_HOME/etc/THIRD-PARTY.txt has gone missing with Horizon 31.0.6 and onwards (Issue NMS-15636)
-
SNMPv3 support for AES256 appears broken (Issue NMS-15637)
Enhancement
-
Enable AmbientCapabilities=CAP_NET_RAW CAP_NET_BIND_SERVICE in shipped opennms.service systemd file (Issue NMS-15596)
Release Meridian-2022.1.15
Release 2022.1.15 contains a bunch of bug fixes, along with a fix for a security vulnerability.
The codename for Meridian 2022.1.15 is Crater.
Bug
-
Scriptd consumes CPU even when it does nothing (Issue NMS-13216)
-
dependabot: upgrade Apache POI to at least 4.1.1 (CVE-2019-12415) (Issue NMS-14589)
-
POW Arithmetic Operator Does not work with Backshift Graphing Engine (Issue NMS-14779)
-
Multiple CVEs for cxf 3.2.8 (Issue NMS-15065)
-
Concurrent requests to rrd summary endpoint fails (Issue NMS-15086)
-
Statistics Reports → Export Excel fails with exception (Issue NMS-15148)
-
The various SNMP extenders to not work with ifIndex-indexed resources (Issue NMS-15342)
-
SNMP Interfaces Endpoint returns multiple values [duplicates] when there are multiple "IP Interfaces" pointing to same SNMP-IfIndex "ipAdEntIfIndex". (Issue NMS-15352)
-
Missing XML Validation in Apache Xerces2 (Issue NMS-15373)
-
M2022 Minions > 2022.1.8 Cannot use SCV credentials (Issue NMS-15450)
-
Event Datetime element parsing changed between M2018 and M2021 (Issue NMS-15471)
-
upgrade Xalan to 2.7.3 (CVE-2022-34169) (Issue NMS-15578)
Task
-
Vulnerable c3p0 0.9.1.1 packaged in Meridian 2021 (Issue NMS-15072)
Enhancement
-
re-enable license maven plugin as a separate job (Issue NMS-15572)
Release Meridian-2022.1.14
Release 2022.1.14 is a bugfix release that also upgrades one library dependency.
The codename for Meridian 2022.1.14 is Cygnus.
Story
-
Upgrade ActiveMQ to 5.15 (Issue NMS-12089)
Bug
-
Form Can Be Manipulated with Cross-Site Request Forgery (CSRF) (Issue NMS-14865)
Task
-
Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)
Release Meridian-2022.1.13
Release 2022.1.13 introduces one breaking change (see below). It also fixes several security vulnerabilities, upgrades many potentially vulnerable dependency libraries, and fixes one bug in the BSM daemon.
Breaking changes
-
The
GpDetector
andScriptPolicy
now require that their scripts be located beneath$OPENNMS_HOME
and beneath$OPENNMS_HOME/etc/script-policies
, respectively. If you are using either of these classes in your foreign-source definitions, please address this requirement before upgrading to this release.
Shout-outs and errata
-
Thanks to researcher Baharuddin Zulkifli of NetbyteSEC for reporting several cross-site scripting vulnerabilities.
-
Thanks to researcher Stefan Schiller of SonarSource for reporting a pair of authenticated command-injection vulnerabilities.
-
The release notes for Meridian-2022.1.12 incorrectly stated that NMS-15124 was fixed in that release. In actual fact, the fix is in this release (Meridian-2022.1.13).
The codename for Meridian 2022.1.13 is Canis Major.
Bug
-
Multiple stored and reflected XSS in webapp (Issue NMS-14854)
-
reloading BSM daemon causes the state of serviceProblem alarm to be reset (Issue NMS-15124)
-
CVE-2017-7504 for javassist 3.18.2-ga and 3.19.0-ga (Issue NMS-15191)
-
CVE-2017-7504 for jboss-logging 3.1.0.cr2 (Issue NMS-15192)
-
CVE-2019-13990 for quartz 2.2.3 (Issue NMS-15194)
-
CVE-2022-45047 for sshd-sftp 2.5.1 (Issue NMS-15195)
-
CVE-2021-21342 and 7 others for xstream 1.4.11.1 (Issue NMS-15196)
-
CVE-2014-9970 for jasypt 1.9.0 (Issue NMS-15197)
-
CVE-2021-33813 for jdom2 2.0.6 (Issue NMS-15198)
-
CVE-2022-40149 and CVE-2022-40150 for jettison 1.3.8 (Issue NMS-15199)
-
CVE-2016-5725 for jsch 0.1.51 (Issue NMS-15200)
-
CVE-2022-3171 for protobuf-java 3.16.1 (Issue NMS-15201)
-
CVE-2018-17187 for proton-j 0.14.0 (Issue NMS-15202)
-
CVE-2017-15288 and CVE-2020-7907 for scala-library 2.11.0 and 2.12.12 (Issue NMS-15203)
-
CVE-2020-13936 for velocity 1.7 (Issue NMS-15204)
-
CVE-2020-11988 for xmlgraphics-commons 1.4 (Issue NMS-15205)
-
Plaintext Password Present in the Web logs (Issue NMS-15305)
Task
-
CVE in Jolokia 1.3.3 dependency (Issue NMS-15068)
-
CVE-2021-37714 for jsoup (multiple versions) (Issue NMS-15069)
-
vulnerable Junit dependency (Issue NMS-15074)
-
JAVA_KEYALIAS Variable needs to be updated (Issue NMS-15239)
-
JAVA_KEYSTORE Variable needs to be updated (Issue NMS-15240)
-
JAVA_STOREPASS Variable needs to be updated (Issue NMS-15241)
-
Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)
Release Meridian-2022.1.12
Release Meridian-2022.1.11
Release 2022.1.11 fixes a typo that didn’t get cherry-picked back to the 2022 branch from Horizon 31. This is all Ben’s fault. (Sorry)
The codename for Meridian 2022.1.11 is Orion.
Release Meridian-2022.1.10
Release 2022.1.10 fixes a generous handful of bugs and security vulnerabilities, besides updating a few library dependencies to newer versions.
The codename for Meridian 2022.1.10 is Reticulum.
Bug
-
Notifd auto-ack function does not use meta data (Issue NMS-13020)
-
Map Pins Missing Since Upgrade (Issue NMS-13918)
-
javadoc not being generated in H31 (Issue NMS-14750)
-
Regression: install script fails if an OpenNMS directory contains root-owned lost+found directory (Issue NMS-14919)
-
Form Autocomplete Attribute Not Set (Issue NMS-14934)
-
Cookie Attribute - SameSite Attribute Missing or Misconfigured (Issue NMS-14937)
-
Events and alarms search return error 405 POST method not allowed (Issue NMS-15031)
-
opennms rpm could get wrong jetty files (Issue NMS-15043)
-
RHEL9/CentOS9/Rocky 9 need chkconfig package to enable service properly (Issue NMS-15093)
Unexpected Behavior
-
RPM packages fail to install when FIPS Enabled (Issue NMS-14628)
Release Meridian-2022.1.9
Release 2022.1.9 contains several bug fixes with install and runtime impact, a handful of security fixes, and one enhancement to the documentation. The bug fixes include a back-port of work done in Horizon 30 to upgrade the Guava library to version 25. While these changes have seen extensive testing during the life of Horizon 30, this change touches many parts of the platform; Newts users should take extra care when upgrading, as this change drove an upgrade of the Cassandra driver.
The codename for Meridian 2022.1.9 is Lacerta.
Bug
-
Database reports need to be rebranded (Issue NMS-14058)
-
backport Guava 25 changes to foundation-2022 (Issue NMS-14565)
-
Unexpected interfaceDown event/alarm during a scheduled outage (Issue NMS-14695)
-
Debian/Ubuntu gpg deprecation warning (Issue NMS-14760)
-
Invalid redirect when behind a reverse proxy (Issue NMS-14805)
-
Scheduled scan fails to inform nodeScanAborted events (Issue NMS-14853)
Enhancement
-
Move Enlinkd daemon docs to Reference section (Issue NMS-14913)
Release Meridian-2022.1.8
Release 2022.1.8 contains a handful of bug and security fixes, and a couple of back-ported enhancements.
The codename for Meridian 2022.1.8 is Apus.
Story
-
Update BSM Documentation (Issue NMS-8571)
-
Trapd is missing in the docs (Issue NMS-12629)
-
Determine if requisitions docs are correct (Issue NMS-13938)
-
Back-port multi-constraint work (Issue NMS-14698)
-
Reflected XSS (PB-2022, Aug 2022) (Issue NMS-14713)
-
Browser-Specific XSS (PB-2022, Aug 2022) (Issue NMS-14714)
-
Form Can Be Manipulated with Cross-Site Request Forgery (CSRF) (Issue NMS-14716)
-
Session Cookie (Authentication Related) Does Not Contain The "HTTPOnly" Attribute (Issue NMS-14717)
Task
-
Add style guide content to the documentation (Issue NMS-14654)
Release Meridian-2022.1.7
Release Meridian-2022.1.6
Release 2022.1.6 contains quite a few bug fixes as well as number of small features.
We have made a number of improvements to the documentation, including reworking the section on events and adding information on configuring SNMP traps and varbinds.
The codename for Meridian 2022.1.6 is Auriga.
Bug
-
show-event-config displays unexpected content after adding new event definitions (Issue NMS-12863)
-
Clearing an alarm brings alarm not found message (Issue NMS-12981)
-
JVM MemoryPool data collection not working (Issue NMS-14041)
-
Scripts invoke sudo even if running as root (Issue NMS-14410)
-
Documentation references invalid docker version for latest horizon version release (Issue NMS-14431)
-
WebMonitor does not track the response time (Issue NMS-14535)
-
Grafana dashboard reports do not run (Issue NMS-14544)
-
Fix docs references to editing org.apache.karaf.features.cfg (Issue NMS-14566)
-
Spring Framework CVE-2022-22950 Remediation (Issue NMS-14568)
Enhancement
-
Update PG installation documentation to use SCRAM (Issue NMS-13057)
-
Update Events Documentation (Issue NMS-14212)
-
Migrate Trap configuration wiki to docs (Issue NMS-14323)
-
Document SNMP oid varbind pattern matching and varbind expansion to create unique events (Issue NMS-14346)
-
SNMP Interface Poller doc updates (Issue NMS-14412)
-
Update documentation for policy matching (Issue NMS-14528)
-
simplify assembly tarballs (Issue NMS-14572)
Release Meridian-2022.1.5
Release 2022.1.5 contains a bunch of bug fixes, as well as a few enhancements.
The codename for Meridian 2022.1.5 is Crux.
Bug
-
Correct Grammar in Notices Box (Issue NMS-12355)
-
Error responses are not handled correctly when handling ElasticSearch responses (Issue NMS-13785)
-
Link in ERROR log doesn’t exist (Issue NMS-13956)
-
Event/Alarm advanced search not passing search terms (Issue NMS-14161)
-
Heatmap drill down does not show any alarms/outages (Issue NMS-14243)
-
Replace old logo references in some files/reports with the new logo (Issue NMS-14372)
-
runas=root entry in opennms.conf gets duplicated (Issue NMS-14396)
-
Notification with Destination Path and Group, Interval Delay doesnt show (Issue NMS-14403)
-
Kafka Consumer stops commits when overloaded (Issue NMS-14415)
Enhancement
-
event nodeCategoryMembershipChanged should be more verbose (Issue NMS-10634)
-
There should be documentation for the reports (Issue NMS-11810)
-
Authentication related WEB-INF files should also exist in etc-pristine (Issue NMS-13834)
-
Add support for pre-authorization via HTTP header (to be used with pre-authentication) (Issue NMS-14059)
-
upgrade JNA to 5 (Issue NMS-14417)
Release Meridian-2022.1.4
Release 2022.1.4 contains a number of bug fixes, as well as a few enhancements and a ton of documentation updates.
The codename for Meridian 2022.1.4 is Hydra.
Bug
-
[Web] - WebServer Fingerprinting (Issue NMS-13987)
-
Telemetryd does not shut down gracefully (Issue NMS-14003)
-
Users with ROLE_USER face Access Denied when accessing Resource Graphs from Reports Section (Issue NMS-14193)
-
Exception when searching assets (Issue NMS-14240)
-
Rogue opennms-tools/phonebook/pom.xml (Issue NMS-14266)
-
Remove "Commercial Support" ticket lookup from web ui support section (Issue NMS-14280)
-
Circle ci caching OIA issue (Issue NMS-14291)
-
Kafka-Producer Alarm Resync Failing Post Entire Kafka Cluster Outage (Issue NMS-14321)
Enhancement
-
Add a note to remember delete the browsers cache when upgrading OpenNMS (Issue NMS-8504)
-
there is no documentation on the instrumentation log reader (Issue NMS-10393)
-
LoopMonitor & detector (Issue NMS-11042)
-
Document PassiveServiceMonitor (Issue NMS-11052)
-
WmiMonitor (Issue NMS-11065)
-
Migrate External Auth into docs (Issue NMS-13574)
-
Document how to set up SSL with Jetty (Issue NMS-13684)
-
Document how to upgrade OpenNMS (Issue NMS-13692)
-
DCB: Error reporting needs love (Issue NMS-14128)
-
Be able to control label sizes for the stress-metrics command (Issue NMS-14194)
-
Add new KPIs to datachoices telemetry (Issue NMS-14203)
-
Correct errors on Business Service Monitoring docs (Issue NMS-14337)
-
Snmp Link Up does not clear Snmp Link Down (Issue NMS-14378)
Release Meridian-2022.1.3
Release 2022.1.3 contains a number of security dependency updates, plus a bunch of other bug fixes and documentation improvements.
While the dependency changes should not affect how the OpenNMS runtime works, this release contains a larger than usual number of changes to "plumbing" to facilitate these dependency updates. We strongly recommend that you do more than the usual amount of testing before deploying this update to a production environment. |
The codename for Meridian 2022.1.3 is Microscopium.
Bug
-
install script fails if an OpenNMS directory contains root-owned lost+found directory (Issue NMS-14032)
-
Provisiond Fails to Start when wrong data is successfully POSTed via REST to hardwareInventory endpoint (Issue NMS-14085)
-
Grafana box renders raw JS when Grafana behind reverse proxy with SSO (Issue NMS-14109)
-
CVE-2022-22965: Spring RCE in Data Bindings (Issue NMS-14134)
-
Minions Trapd Listener Fails to Bind to udp/162 when broker is down (Issue NMS-14148)
-
Fix formatting in alarmd documentation (Issue NMS-14182)
-
Dependabot: update Vaadin to the latest 8.x (Issue NMS-14192)
-
Upgrade groovy-all dependency (Issue NMS-14208)
-
make sure license-maven-plugin is re-enabled in foundation and release branches (Issue NMS-14217)
-
Upgrade jackson-mapper-asl dependency (Issue NMS-14252)
Release Meridian-2022.1.2
Release 2022.1.2 contains bunch of bug fixes and enhancements.
The codename for Meridian 2022.1.2 is Piscis Austrinus.
Bug
-
Documentation for all pollers misses RRD config parameter (Issue NMS-11747)
-
Enlinkd API response extremely slow for some nodes (Issue NMS-13507)
-
Resolve SonarCloud High priority Security Hotspots (Issue NMS-14002)
-
Can’t set capabilities in Minion systemd unit (Issue NMS-14016)
-
Scriptd helpers ignore community setting (Issue NMS-14045)
-
Wrong wiki URL in debian installer (Issue NMS-14053)
-
Build from source documentation needs a minor correction (Issue NMS-14088)
-
Hostname command is missing when running in a container (Issue NMS-14100)
-
Fix for NMS-13887 did not make it to Core (Issue NMS-14117)
-
Update docs for binding ports <1024 (Issue NMS-14162)
Enhancement
-
Switch to using a java e-mail library instead of system mail (Issue NMS-14015)
-
Expand newts converter documentation (Issue NMS-14073)
-
Add TcpDetector documentation (Issue NMS-14074)
-
Misspelling in SystemExecuteMonitor error text (Issue NMS-14091)
-
relicense rancid-api to LGPL, change dependency to match (Issue NMS-14093)
-
clean up JAXB dependencies (Issue NMS-14105)
Release Meridian-2022.1.1
Release 2022.1.1 contains a fix for a regression in graph viewing, plus
a fix for permissions on the $OPENNMS_HOME/logs
directory.
The codename for Meridian 2022.1.1 is Puppis.
Release Meridian-2022.1.0
Release 2022.1.0 is the first of the Meridian 2022 series, based on Horizon 29.
The codename for Meridian 2022.1.0 is Monoceros.
Bug
-
opennms user credentials wrongly exposed (Issue NMS-12146)
-
Install script fails when using Azure PostgreSQL Services (Issue NMS-13715)
-
In default installation the ActiveMQ Total Enqueued Messages throw divde error exceptions (Issue NMS-13737)
-
Systemd startup uses legacy SysV init script (Issue NMS-13783)
-
Telemetryd error occurring when testing with hsflowd (Issue NMS-13795)
-
OpenNMS Availability 'Chart' Shouldn’t Include Time Before Connected (Issue NMS-13822)
-
Support → System Report exposes credentials in plain text (Issue NMS-13831)
-
Cross site scripting - Reflected (Issue NMS-13835)
-
TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability (Issue NMS-13845)
-
Password field with autocomplete enabled (Issue NMS-13847)
-
fix-karaf-setup.sh should honor RUNAS (Issue NMS-13881)
-
Remote RMI is broken in 29.0.x (Issue NMS-13887)
-
Unable to modify node/interface/service metadata through requisition after initial synchronization (Issue NMS-13890)
-
Web UI redirects to http even with base-url set to https (Issue NMS-13901)
-
Minion fails to marshall requisition with JAXB error: Class [org.opennms.netmgt.model.PrimaryTypeAdapter] not found (Issue NMS-13927)
-
Prevent REST API from allowing multiple primary SNMP interfaces on a single node (Issue NMS-13939)
-
Unsynchronized access to service factories in TelemetryServiceRegistryImpl (Issue NMS-13961)
-
Instrument Provisiond Thread Pools (Issue NMS-13969)
-
SNMP Detector configuration page excludes useSnmpProfiles and ttl options (Issue NMS-13997)
-
install script fails if an OpenNMS directory contains root-owned lost+found directory (Issue NMS-14032)