Changelog

Release Meridian-2023.1.3

Relase 2023.1.3 contains four security vulnerability fixes and a generous helping of other bug fixes. It also updates the plugin host to the latest version, and includes a few small enhancements to the startup scripts and other components.

The codename for Meridian 2023.1.3 is Beaker.

Bug

  • POW Arithmetic Operator Does not work with Backshift Graphing Engine (Issue NMS-14779)

  • Cacheable HTTPS Responses - Cache Control Directive Missing or Misconfigured (Issue NMS-14936)

  • Plaintext Password Present in the Web logs (Issue NMS-15305)

  • Stored XSS on Quick-Add Node (Issue NMS-15308)

  • Adding new thresholds to an existing group often throws an IndexOutOfBoundsException (Issue NMS-15334)

  • Geographical Map map search capability is not as described in the docs (Issue NMS-15426)

  • A small typo in plugin.sh prevents artifacts from GitHub to be included in containers (Issue NMS-15592)

  • Foundation-2020: Snmp4JValueFactory: getOctetString displayable should be true (Issue NMS-15599)

  • Syslog Northbounder maxMessageSize config option is not used (Issue NMS-15606)

  • Jetty CVE-2023-26048/CVE-2023-26049 (Issue NMS-15612)

  • Update to latest groovy 2.x (Issue NMS-15633)

  • $OPENNMS_HOME/etc/THIRD-PARTY.txt has gone missing with Horizon 31.0.6 and onwards (Issue NMS-15636)

  • SNMPv3 support for AES256 appears broken (Issue NMS-15637)

New Feature

  • Add a CLI mechanism to set the admin password (Issue NMS-15221)

Story

  • Add KPI for boolean containerization status (Issue NMS-15368)

  • Implement collector config extensions – NMS side (Issue NMS-15585)

  • Usage statistics docs updated to include containerization status (Issue NMS-15627)

Enhancement

  • Smoke test improvements and small tweaks to help developers (Issue NMS-15387)

  • Enable AmbientCapabilities=CAP_NET_RAW CAP_NET_BIND_SERVICE in shipped opennms.service systemd file (Issue NMS-15596)

Task

  • Visualization of database-report templates in docs (Issue NMS-15423)

  • DOC: Pull changes into foundation branch (Issue NMS-15658)

Release Meridian-2023.1.2

Release 2023.1.2 contains a bunch of bug fixes, along with fixes for several security vulnerabilities.

The codename for Meridian 2023.1.2 is Count von Count.

Bug

  • DOC: Document Newts fetch step / heartbeat settings in opennms.properties (Issue NMS-10155)

  • Document the function hiding Meta-Data values with keynames containing "password" or "secret" (Issue NMS-12808)

  • Scriptd consumes CPU even when it does nothing (Issue NMS-13216)

  • dependabot: upgrade Apache POI to at least 4.1.1 (CVE-2019-12415) (Issue NMS-14589)

  • POW Arithmetic Operator Does not work with Backshift Graphing Engine (Issue NMS-14779)

  • Multiple CVEs for cxf 3.2.8 (Issue NMS-15065)

  • The management of alarms (escalation, and acknowledge) on the new MAP UI does not work for user without ROLE_REST. (Issue NMS-15080)

  • Concurrent requests to rrd summary endpoint fails (Issue NMS-15086)

  • Statistics Reports → Export Excel fails with exception (Issue NMS-15148)

  • No health check for the OpenNMS Core container (Issue NMS-15291)

  • Missing Security Headers (Issue NMS-15302)

  • Stored XSS On-Call Roles (Issue NMS-15307)

  • Stored XSS on Quick-Add Node (Issue NMS-15308)

  • [Web] - Session Fixation/Misconfigured Session Cookie Implementation (Issue NMS-15310)

  • Inconsistent expectations on TimeseriesStorageManager.get() with null return values (Issue NMS-15323)

  • The various SNMP extenders to not work with ifIndex-indexed resources (Issue NMS-15342)

  • SNMP Interfaces Endpoint returns multiple values [duplicates] when there are multiple "IP Interfaces" pointing to same SNMP-IfIndex "ipAdEntIfIndex". (Issue NMS-15352)

  • Missing XML Validation in Apache Xerces2 (Issue NMS-15373)

  • Adding or editing a schedule outage doesn’t reload the configuration for Threshd (Issue NMS-15420)

  • M2022 Minions > 2022.1.8 Cannot use SCV credentials (Issue NMS-15450)

  • Event Datetime element parsing changed between M2018 and M2021 (Issue NMS-15471)

  • Minimum system requirements does not enumerate RHEL9 support (Issue NMS-15499)

  • Cortex plugin has no LICENSE.md (Issue NMS-15521)

  • upgrade Xalan to 2.7.3 (CVE-2022-34169) (Issue NMS-15578)

Task

  • DOC: Update replacement tokens documentation (Issue NMS-15045)

  • Vulnerable c3p0 0.9.1.1 packaged in Meridian 2021 (Issue NMS-15072)

  • DOC: Restructure Alarm History documentation (Issue NMS-15287)

Story

  • Distributed IPC mechanisms all work in Meridian 2023 (Issue NMS-15223)

Unexpected Behavior

  • Following cross-site links logs out current session (Issue NMS-15320)

Enhancement

  • DOC: Create documentation for vacuumd (Issue NMS-15440)

  • Update docs to include RHEL9 and Rocky/Alma compatability (Issue NMS-15500)

  • re-enable license maven plugin as a separate job (Issue NMS-15572)

Release Meridian-2023.1.1

Release 2023.1.1 is a bugfix release that also incorporates several documentation improvements, upgrades a couple of library dependencies, and improves how plugins are included in the container images.

The codename for Meridian 2023.1.1 is Cookie Monster.

Story

  • Upgrade ActiveMQ to 5.15 (Issue NMS-12089)

  • Add documentation for using Scheduled Outages (Issue NMS-12621)

  • Meridian 2023 Testing (Issue NMS-15152)

Enhancement

  • Replace wiki links across all codebase (Issue NMS-13912)

  • dependabot: mockito 3.4.6 to 4.6.1 (Issue NMS-14586)

  • DOC: Timeseries Documentation (Issue NMS-14959)

  • DOC: Configuration Manager API for External Requisitions is not documented (Issue NMS-15019)

  • Update dual write docs to clarify configuration (Issue NMS-15425)

  • PersistRegexSelectorStrategy is not where the docs say it should be (Issue NMS-15461)

Bug

  • Form Can Be Manipulated with Cross-Site Request Forgery (CSRF) (Issue NMS-14865)

  • Minion on Ubuntu fails to start (Issue NMS-15160)

  • Upgrade HikariCP to 5.x (Issue NMS-15171)

  • Docs: The "Housekeeping Tasks" page should not tell the user to always run fix-karaf-setup.sh on upgrade (Issue NMS-15296)

  • Elevation on Feather nav bar header casts undesirable shadow (Issue NMS-15367)

  • Docs: Update path reference for PostgreSQL config files (Issue NMS-15381)

  • opennms-karaf-health is not last in featuresBoot — might miss status for a few features (Issue NMS-15407)

  • Invalid syntax due to typo in provisiond snmp graph (Issue NMS-15434)

Task

  • Number examples in service monitor chapters (Issue NMS-15215)

  • Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)

  • Move the logic for downloading plugins into the Dockerfile (Issue NMS-15401)

  • Disable DEBs packages for Meridian 2023 (Issue NMS-15412)

Epic

  • Visual differentiation of Meridian 2023 web UI versus Horizon 31 (Issue NMS-15265)

Release Meridian-2023.1.0

Release 2023.1.0 is the first of the Meridian 2023 series, based on Horizon 31 and incorporating work done in that series and in Horizon 30.

This new major-version release introduces several breaking changes (see below).

Breaking Changes

  • The GpDetector and ScriptPolicy now require that their scripts be located beneath $OPENNMS_HOME and beneath $OPENNMS_HOME/etc/script-policies, respectively. If you are using either of these classes in your foreign-source definitions, please address this requirement before upgrading to this release.

  • The OpenNMS Plugin API (OPA) has been updated to 1.3.0. OPA plugins intended to run in Meridian 2023.1.0 must implement version 1.0.0 or higher.

  • The provisiond-configuration.xml file has been replaced with a new implementation based on the new configuration management API, which resides outside the filesystem. See What’s New in Meridian 2023 for more information.

  • Meridian Docker images are now based on a minimal install of Ubuntu, rather than CentOS. Symlinks are provided to match the old paths in /opt, but it’s possible you will run into subtle differences when transitioning.

  • The org.opennms.netmgt.collectd.strictInterval setting now defaults to true. See What’s New in Meridian 2023 for more information.

Known issues

The following known issues impact Meridian 2023.1.0; we expect all to be fixed in the next micro-version release:

  • Regular users are unable to acknowledge or clear alarms from the geographical map’s integrated alarm browser. Until we identify a fix, it is possible to work around this problem by adding ROLE_REST to a user’s set of assigned roles. See NMS-15080 for details. Thanks to Ricardo Monteiro for bringing this problem to our attention.

  • On systems where dual-write time series persisting is enabled, an intermittent startup problem may cause either a delay in data starting to be persisted, or a hard failure necessitating a restarting of the core. See NMS-15326 for details.

  • The ALEC plugin currently cannot be successfully installed on a Sentinel node. At release time, it is unclear whether the problem lies in Sentinel or in ALEC. Some details are captured in NMS-15396.

Shout-outs

The codename for Meridian 2023.1.0 is Kermit the Frog.

Enhancement

  • Remove image-related defaults from Docker container makefile (Issue NMS-13583)

  • Add documentation for SELinux as a requirement to run OpenNMS (Issue NMS-14210)

  • Include Minion version on "Manage Minions" page (Issue NMS-14493)

  • Dependabot: leaflet from 1.7.1 to 1.8.0 (Issue NMS-14584)

  • Error compiling Cisco MIB (Issue NMS-14640)

  • Make the cloud connect plugin available in container images (Issue NMS-15012)

  • Data collection and graph definitions for provisiond performance (Issue NMS-15018)

  • Update docs to include RHEL 9 install instructions (Issue NMS-15147)

  • Test and Document Support for PostgreSQL 15 (Issue NMS-15151)

  • Make the ALEC plugin available in container images (Issue NMS-15349)

  • Make the Cortex TSS plugin available in container images (Issue NMS-15350)

  • Smoke test improvements and small tweaks to help developers (Issue NMS-15387)

Task

  • Geo Map: Add content to the map marker pop up (Issue NMS-13698)

  • Uncontrolled Resource Consumption in Jackson-databind (Issue NMS-15030)

  • CVE in Jolokia 1.3.3 dependency (Issue NMS-15068)

  • CVE-2021-37714 for jsoup (multiple versions) (Issue NMS-15069)

  • Vulnerable JUnit dependency (Issue NMS-15074)

  • RHEL9 installation documentation tab (Issue NMS-15079)

  • Document deviceconfig tftp maximumReceiveSize (Issue NMS-15121)

  • Add flow version table to Flow Introduction (Issue NMS-15158)

  • Change OpenNMS Copyright from 2022 to 2023 (Issue NMS-15211)

  • Change OpenNMS Copyright from 2022 to 2023 in the documentation footer (Issue NMS-15212)

  • JAVA_KEYALIAS Variable needs to be updated (Issue NMS-15239)

  • JAVA_KEYSTORE Variable needs to be updated (Issue NMS-15240)

  • JAVA_STOREPASS Variable needs to be updated (Issue NMS-15241)

  • Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)

  • Release notes / wart: ALEC not installable on M2023.1.0 / H31.0.4 Sentinel (Issue NMS-15403)

  • Release notes / wart: dual-write TS delay on startup (Issue NMS-15404)

  • Release notes / wart: Geo map alarms and ROLE_REST (thank Ricardo Monteiro for the report) (Issue NMS-15406)

Unexpected Behavior

  • RPM packages fail to install when FIPS Enabled (Issue NMS-14628)

  • Link on Netflow9 to main Netflow doc is broken (Issue NMS-15144)

Bug

  • Missing /run/opennms on Ubuntu (Issue NMS-14650)

  • RRD persistence with default configs in our Horizon OCI points to wrong libjrrd2.so (Issue NMS-14778)

  • Chrome/Edge Web Browser : Geographical Map Node Counters are wrong (Issue NMS-14792)

  • OpenNMS opennms start fails on Ubuntu (Issue NMS-14838)

  • Multiple stored and reflected XSS in webapp (Issue NMS-14854)

  • horizon.oci contains more than one container image (Issue NMS-14896)

  • Regression: install script fails if an OpenNMS directory contains root-owned lost+found directory (Issue NMS-14919)

  • Form Resubmission From Cache (Issue NMS-14933)

  • XML Entity Expansion Injection in geolocation API (Issue NMS-14988)

  • Remove reference to remote pollers (Issue NMS-15017)

  • RHEL9/CentOS9/Rocky 9 need chkconfig package to enable service properly (Issue NMS-15093)

  • Default limit of 10 is not working for event queries (Issue NMS-15123)

  • Flows adapters don’t start on Sentinel running as a container. (Issue NMS-15161)

  • Jetty context startup failures are not clearly communicated to the user (Issue NMS-15179)

  • CVE-2017-7504 for javassist 3.18.2-ga and 3.19.0-ga (Issue NMS-15191)

  • CVE-2017-7504 for jboss-logging 3.1.0.cr2 (Issue NMS-15192)

  • CVE-2014-2228 for org.restlet 1.1.10 (Issue NMS-15193)

  • CVE-2019-13990 for quartz 2.2.3 (Issue NMS-15194)

  • CVE-2022-45047 for sshd-sftp 2.5.1 (Issue NMS-15195)

  • CVE-2021-21342 and 7 others for xstream 1.4.11.1 (Issue NMS-15196)

  • CVE-2014-9970 for jasypt 1.9.0 (Issue NMS-15197)

  • CVE-2021-33813 for jdom2 2.0.6 (Issue NMS-15198)

  • CVE-2022-40149 and CVE-2022-40150 for jettison 1.3.8 (Issue NMS-15199)

  • CVE-2016-5725 for jsch 0.1.51 (Issue NMS-15200)

  • CVE-2022-3171 for protobuf-java 3.16.1 (Issue NMS-15201)

  • CVE-2018-17187 for proton-j 0.14.0 (Issue NMS-15202)

  • CVE-2017-15288 and CVE-2020-7907 for scala-library 2.11.0 and 2.12.12 (Issue NMS-15203)

  • CVE-2020-13936 for velocity 1.7 (Issue NMS-15204)

  • CVE-2020-11988 for xmlgraphics-commons 1.4 (Issue NMS-15205)

  • Update docs TOC to include missing notification commands file (Issue NMS-15266)

  • Meridian 2023 old UI pages have Horizon Logo (Issue NMS-15281)

  • NPE in karaf.log when parallel TSDB writes enabled (Issue NMS-15282)

  • Poor contrast in navigation menu of OG UI (Issue NMS-15283)

  • Styling of Feather / Vue UI in Meridian does not match OG UI (Issue NMS-15284)

  • Stealing Cookies using Reflected XSS via graph results (Issue NMS-15292)

  • Sanitize request parameters in outage/list.htm (Issue NMS-15294)

  • Plaintext Password Present in the Web logs (Issue NMS-15305)

  • Upgrade Apache Kafka Dependency Beyond 3.2.0 (Issue NMS-15317)

  • RingBufferTimeseriesWriter.destroy can take a long time or hang due to BlockingServiceLookup.lookup in WorkProcessors (Issue NMS-15324)

  • Dead transaction in flow thresholding on sentinel (Issue NMS-15340)

  • Regular requisition editor empty state incorrectly names external requisitions (Issue NMS-15347)

  • When we fail to start up, we don’t exit with a non-zero exit code so failures cannot be properly reflected in containers (Issue NMS-15386)

  • ALEC plugin dependency update (Issue NMS-15391)

Story

  • Revive PoweredBy section in new docs (Issue NMS-14703)

  • Modify foreign source in HeartbeatConsumer to ignore docker interfaces and detect SNMP agent (Issue NMS-14855)

  • SNMP Community retrieval through SCV on Minion (Issue NMS-15008)

  • Add JSON support (in additional to GBP) to the Kafka producer for flows (Issue NMS-15027)

  • Backport deploy-base update from develop to release-31.x (upgrades JRE minor version, adds vim-tiny, less) (Issue NMS-15046)

  • Add KPI for Appliance count by model (Issue NMS-15051)

  • Velocloud plugin 1.0 is compatible with Meridian 2023 (Issue NMS-15138)

  • ALEC 3.0 is compatible with Meridian 2023 (Issue NMS-15139)

  • Cortex TSS plugin 2.0.1 is compatible with Meridian 2023 (Issue NMS-15140)

  • Cloud services connector plugin is compatible with Meridian 2023 (Issue NMS-15141)

  • Geo Map node groups should split into individual markers (Issue NMS-15150)

  • Distributed IPC mechanisms all work in Meridian 2023 (Issue NMS-15223)

  • Accessibility testing for rebranded Meridian 2023 UI (Issue NMS-15224)

  • Penetration testing for Meridian 2023 (Issue NMS-15225)

  • Meridian container images are signed (Issue NMS-15341)

Epic

  • Publish container images to a container registry other than DockerHub (Issue NMS-15091)

  • Meridian 2023 release testing (Issue NMS-15137)

  • Visual differentiation of Meridian 2023 web UI versus Horizon 31 (Issue NMS-15265)

Sub-task

  • Installation of Meridian Minion, Sentinel, Core and Node. (Issue NMS-15388)

  • Minion routes traffic to Core. (Issue NMS-15389)

  • Sentinel offloads flows from Core. (Issue NMS-15405)