Changelog

Release Meridian-2024.1.5

Release 2024.1.5 contains a bunch of security updates, bug fix and an enhancement.

Task

  • Update grpc to to the next version to address CVEs (Issue NMS-16180)

  • Update org.apache.kafka:kafka to version 3.6.2 or higher. (Issue NMS-16507)

  • Purge jettison 1.4.x from the system directory (Issue NMS-16513)

  • Update BouncyCastle bcpkix to 1.78 (Issue NMS-16514)

Bug

  • Usage statistics reporter throws an NPE in the stdout on startup (Issue NMS-16435)

Configuration

  • Need to Update the Example Event Forwarder Script (Issue NMS-16501)

Release Meridian-2024.1.4

Release 2024.1.4 contains a bunch of bug fixes and an enhancement.

Bug

  • Meridian 2024 passwordGate page shows up incorrectly (Issue NMS-16484)

Task

  • Alarm Resync (Issue NMS-16489)

  • Update to Netty 4 (Issue NMS-16496)

  • Update pgjdbc to version 42.5.5 (Postgres sql JDBC driver) (Issue NMS-16503)

  • Update forked version of nekohtml parser to `>= 1.9.22.noko2`version of Nokogiri if applicable (Issue NMS-16504)

  • Update Apache CXF to 4.0.4, 3.6.3 or 3.5.8 to fix CVE-2024-28752 (Issue NMS-16505)

Release Meridian-2024.1.3

Release 2024.1.3 contains a bunch of security updates.

Bug

  • Stored XSS on "Monitoring Locations" (Issue NMS-16443)

  • Host Header Injection (Issue NMS-16450)

  • [Web] - Missing Secure Flag on Session Cookie (Issue NMS-16451)

Release Meridian-2024.1.2

Release 2024.1.2 contains an enhancement and a couple of bug fixes.

Task

  • Stalled threads in telemetryd parser (Issue NMS-16243)

Bug

  • Cross-Frame Scripting-CWE ID : 1021 Web scan vulnerability (Issue NMS-16369)

  • Address CVE-2020-15522 (Issue NMS-16384)

  • Querying Alarms by alarmId leads to a page that loses context on refresh (Issue NMS-16417)

  • Stored XSS on "MIB Compiler" (Issue NMS-16444)

  • Stored XSS on "Scheduled Outages" (Issue NMS-16445)

  • Missing Access Control on "Grafana Endpoints" (Issue NMS-16446)

  • Missing Access Control on "Geocoder Configuration" (Issue NMS-16447)

  • Stored XSS on "Node Label" (Issue NMS-16448)

  • Detailed server configuration in the error (Issue NMS-16449)

Release Meridian-2024.1.1

Release 2024.1.1 contains an enhancement to clean up the dependencies in Sentinel.

Enhancement

  • Audit multi-version dependencies in Karaf (Sentinel Proof-of-Concept) (Issue NMS-16294)

Release Meridian-2024.1.0

Release 2024.1.0 is the first of the Meridian 2024 series, based on Horizon 33 and incorporating work done in that series and in Horizon 32.

Enhancement

  • Remove image-related defaults from Docker container makefile (Issue NMS-13583)

  • Add documentation for SELinux as a requirement to run OpenNMS (Issue NMS-14210)

  • Include Minion version on "Manage Minions" page (Issue NMS-14493)

  • Dependabot: leaflet from 1.7.1 to 1.8.0 (Issue NMS-14584)

  • Error compiling Cisco MIB (Issue NMS-14640)

  • Make the cloud connect plugin available in container images (Issue NMS-15012)

  • Data collection and graph definitions for provisiond performance (Issue NMS-15018)

  • Update docs to include RHEL 9 install instructions (Issue NMS-15147)

  • Test and Document Support for PostgreSQL 15 (Issue NMS-15151)

  • Make the ALEC plugin available in container images (Issue NMS-15349)

  • Make the Cortex TSS plugin available in container images (Issue NMS-15350)

  • Smoke test improvements and small tweaks to help developers (Issue NMS-15387)

  • Document the asynchronous datacollection engine (Issue NMS-15737)

  • Update install script to clear Karaf cache (Issue NMS-16226)

  • Add option to import-requisition command to block until import is done (Issue NMS-16343)

  • Rename User Data Collection feature to Product Update Enrollment (Issue NMS-16353)

  • Configurable option for Kafka Producer CollectionSet buffer size (Issue NMS-16366)

  • Docs page for Info REST service (Issue NMS-16351)

  • Add var-bind section into notification docs (Issue NMS-13273)

  • Provisiond threads description discrepancies (Issue NMS-14766)

  • Metadata DSL: Add metadata interpolation capability onto more threshold fields (Issue NMS-15667)

  • Switch our Docker base to UBI (Issue NMS-15788)

  • Docs: Add install note on DNS resolution (Issue NMS-15792)

  • Extend PageSequenceMonitor to allow basic auth credentials (Issue NMS-15802)

  • Expand BlueCat DNS Data Collection (Issue NMS-15865)

  • Add confd support to Sentinel container (Issue NMS-16149)

  • Docs: Remove deprecated resourcecli section (Issue NMS-16216)

  • Upgrade to latest Karaf 4.3 (Issue NMS-16249)

  • Deprecate VMware 3-5 collection/graphs (Issue NMS-16266)

  • Fix formatting in snmp-graph.properties.d files (Issue NMS-16269)

  • Docs: Update install docs for monitoring database connection (Issue NMS-16286)

  • Update container confd to default Postgres SSL to prefer (Issue NMS-16287)

  • Allow fix-permissions and update-package-permissions scripts to set ownership for customized users (Issue NMS-16406)

Task

  • Geo Map: Add content to the map marker pop up (Issue NMS-13698)

  • Uncontrolled Resource Consumption in Jackson-databind (Issue NMS-15030)

  • CVE in Jolokia 1.3.3 dependency (Issue NMS-15068)

  • CVE-2021-37714 for jsoup (multiple versions) (Issue NMS-15069)

  • Vulnerable JUnit dependency (Issue NMS-15074)

  • RHEL9 installation documentation tab (Issue NMS-15079)

  • Document deviceconfig tftp maximumReceiveSize (Issue NMS-15121)

  • Add flow version table to Flow Introduction (Issue NMS-15158)

  • JAVA_KEYALIAS Variable needs to be updated (Issue NMS-15239)

  • JAVA_KEYSTORE Variable needs to be updated (Issue NMS-15240)

  • JAVA_STOREPASS Variable needs to be updated (Issue NMS-15241)

  • Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)

  • Release notes / wart: ALEC not installable on M2023.1.0 / H31.0.4 Sentinel (Issue NMS-15403)

  • Release notes / wart: dual-write TS delay on startup (Issue NMS-15404)

  • Release notes / wart: Geo map alarms and ROLE_REST (thank Ricardo Monteiro for the report) (Issue NMS-15406)

  • Metadata DSL: Elasticsearch Integration (Issue NMS-15752)

  • Update UI for Admin password change prompt (Issue NMS-15780)

  • Create Initial Node Structure Page (Issue NMS-16037)

  • Update UI dependencies to latest Vue3, feather, etc. (Issue NMS-16045)

  • Node structure page: Union/Intersection category filter switch (Issue NMS-16058)

  • Node structure: add unit tests (Issue NMS-16060)

  • Structured Node List: Add smoke test (Issue NMS-16061)

  • Structured node list: Export CSV/XLS (Issue NMS-16064)

  • Unzip command is missing from UBI images (Issue NMS-16087)

  • Convert Menu store to pinia (Issue NMS-16092)

  • Structured node list: UX Updates (Issue NMS-16103)

  • Structured node list: handle legacy query strings (Issue NMS-16116)

  • Structured node list: UX updates Part 2 (Issue NMS-16123)

  • Structured node list: Merge feature branch to develop (Issue NMS-16124)

  • Convert NodeStructure store to pinia (Issue NMS-16125)

  • Node structure: Add management IP address (Issue NMS-16126)

  • Node structure: Make preferences persistent (Issue NMS-16130)

  • Convert Node store to pinia (Issue NMS-16136)

  • Update Vue UI README with dev workflow instructions (Issue NMS-16142)

  • Convert more stores to pinia (Issue NMS-16144)

  • Convert auth, usageStats and other stores to pinia (Issue NMS-16154)

  • Convert deviceStore etc to pinia, remove vuex from project (Issue NMS-16156)

  • DOCS: Document structured node list (Issue NMS-16210)

  • Docs: Remove reference to 'opennms-cloud-plugin' plugin (Issue NMS-16231)

Unexpected Behavior

  • RPM packages fail to install when FIPS Enabled (Issue NMS-14628)

  • Link on Netflow9 to main Netflow doc is broken (Issue NMS-15144)

Bug

  • Missing /run/opennms on Ubuntu (Issue NMS-14650)

  • RRD persistence with default configs in our Horizon OCI points to wrong libjrrd2.so (Issue NMS-14778)

  • Chrome/Edge Web Browser : Geographical Map Node Counters are wrong (Issue NMS-14792)

  • OpenNMS opennms start fails on Ubuntu (Issue NMS-14838)

  • Multiple stored and reflected XSS in webapp (Issue NMS-14854)

  • horizon.oci contains more than one container image (Issue NMS-14896)

  • Regression: install script fails if an OpenNMS directory contains root-owned lost+found directory (Issue NMS-14919)

  • Form Resubmission From Cache (Issue NMS-14933)

  • XML Entity Expansion Injection in geolocation API (Issue NMS-14988)

  • Remove reference to remote pollers (Issue NMS-15017)

  • RHEL9/CentOS9/Rocky 9 need chkconfig package to enable service properly (Issue NMS-15093)

  • Default limit of 10 is not working for event queries (Issue NMS-15123)

  • Flows adapters don’t start on Sentinel running as a container. (Issue NMS-15161)

  • Jetty context startup failures are not clearly communicated to the user (Issue NMS-15179)

  • CVE-2017-7504 for javassist 3.18.2-ga and 3.19.0-ga (Issue NMS-15191)

  • CVE-2017-7504 for jboss-logging 3.1.0.cr2 (Issue NMS-15192)

  • CVE-2014-2228 for org.restlet 1.1.10 (Issue NMS-15193)

  • CVE-2019-13990 for quartz 2.2.3 (Issue NMS-15194)

  • CVE-2022-45047 for sshd-sftp 2.5.1 (Issue NMS-15195)

  • CVE-2021-21342 and 7 others for xstream 1.4.11.1 (Issue NMS-15196)

  • CVE-2014-9970 for jasypt 1.9.0 (Issue NMS-15197)

  • CVE-2021-33813 for jdom2 2.0.6 (Issue NMS-15198)

  • CVE-2022-40149 and CVE-2022-40150 for jettison 1.3.8 (Issue NMS-15199)

  • CVE-2016-5725 for jsch 0.1.51 (Issue NMS-15200)

  • CVE-2022-3171 for protobuf-java 3.16.1 (Issue NMS-15201)

  • CVE-2018-17187 for proton-j 0.14.0 (Issue NMS-15202)

  • CVE-2017-15288 and CVE-2020-7907 for scala-library 2.11.0 and 2.12.12 (Issue NMS-15203)

  • CVE-2020-13936 for velocity 1.7 (Issue NMS-15204)

  • CVE-2020-11988 for xmlgraphics-commons 1.4 (Issue NMS-15205)

  • Update docs TOC to include missing notification commands file (Issue NMS-15266)

  • Meridian 2023 old UI pages have Horizon Logo (Issue NMS-15281)

  • NPE in karaf.log when parallel TSDB writes enabled (Issue NMS-15282)

  • Poor contrast in navigation menu of OG UI (Issue NMS-15283)

  • Styling of Feather / Vue UI in Meridian does not match OG UI (Issue NMS-15284)

  • Stealing Cookies using Reflected XSS via graph results (Issue NMS-15292)

  • Sanitize request parameters in outage/list.htm (Issue NMS-15294)

  • Plaintext Password Present in the Web logs (Issue NMS-15305)

  • Upgrade Apache Kafka Dependency Beyond 3.2.0 (Issue NMS-15317)

  • RingBufferTimeseriesWriter.destroy can take a long time or hang due to BlockingServiceLookup.lookup in WorkProcessors (Issue NMS-15324)

  • Dead transaction in flow thresholding on sentinel (Issue NMS-15340)

  • Regular requisition editor empty state incorrectly names external requisitions (Issue NMS-15347)

  • When we fail to start up, we don’t exit with a non-zero exit code so failures cannot be properly reflected in containers (Issue NMS-15386)

  • ALEC plugin dependency update (Issue NMS-15391)

  • DroolsAlarmContext error - alarm facts out of sync (Issue NMS-16208)

  • Running the config-tester -a throws an IllegalStateException for ActiveMQ context (Issue NMS-16355)

  • CVE-2024-3094 investigation (Issue NMS-16396)

  • Container image build fails with a wrong reference to deploy-base:ubi9-3.3.0.b265-jre-17 (Issue NMS-16399)

  • Hikari CP leaking threads (Issue NMS-16345)

  • LdapMonitor does not work when a Minion is the poller (Issue NMS-16349)

  • The script showing the Karaf process status in our container image requires "ps" (Issue NMS-16356)

  • VMware credentials exposed in provisiond log file (Issue NMS-16357)

  • Collectd can’t persist time series data and throwing a NPE with "java.util.List.size()" because "rraList" is null (Issue NMS-16358)

  • Issue installing on Debian 11 Reported by Customer (Issue NMS-16309)

  • Missing information in downtime model docs (Issue NMS-10133)

  • R-Core fails to install following the Horizon 30 Install Docs (Issue NMS-14777)

  • Surveillance Dashboard shows acknowledged Alarms (Issue NMS-15448)

  • Access Denied when deleting a node with admin user (Issue NMS-15746)

  • Typo in Configuring Minion via confd README (Issue NMS-15901)

  • "Dismiss" in Usage Statistics Sharing Notice is misleading (Issue NMS-16027)

  • Links in node table open both in current tab and in a new tab (Issue NMS-16047)

  • Fix Geographical Map after vue-leaflet upgrade (Issue NMS-16065)

  • Top of page search displays 'Show nodes with severity' multiple times (Issue NMS-16067)

  • Device config upload failed with org.apache.sshd.common.SshException: EdDSA provider not supported (Issue NMS-16131)

  • Data choices plugin throws a NPE when user clicks on show collected data. (Issue NMS-16151)

  • Event parameters with <> not rendering in event/alarm views (Issue NMS-16157)

  • Users with ROLE_READONLY can add, modify, and delete alarm memos (Issue NMS-16162)

  • Docs: Meridian plugins reference wrong package names (Issue NMS-16164)

  • Fix resource types for default Postgres collection (Issue NMS-16165)

  • Service detail page displays wrong collectd package (Issue NMS-16167)

  • enlinkd logging hibernate errors (lack of unique index) (Issue NMS-16199)

  • Zookeeper 3.4.6 version mismatch in Meridian 2021 (Issue NMS-16209)

  • upgrade ActiveMQ to latest 5.15.x (Issue NMS-16218)

  • Documentation build failing: cannot find antora/xref-validator (Issue NMS-16227)

  • Node structure: fix sorting (Issue NMS-16246)

  • OpenConfig Connector parameter frequency in incorrect unit (Issue NMS-16253)

  • Container flag -t does not pass correct arguments (Issue NMS-16265)

  • Cortex plugin does not start automatically (Issue NMS-16272)

  • PostgreSQL monitor url parameter metadata PostgreSQL monitor url parameter metadata cannot be resolved properly and collection fails consequently (Issue NMS-16374)

  • Unable to display varbind’s form feed characters and other control characters in events (Issue NMS-16395)

Story

  • Revive PoweredBy section in new docs (Issue NMS-14703)

  • Modify foreign source in HeartbeatConsumer to ignore docker interfaces and detect SNMP agent (Issue NMS-14855)

  • SNMP Community retrieval through SCV on Minion (Issue NMS-15008)

  • Add JSON support (in additional to GBP) to the Kafka producer for flows (Issue NMS-15027)

  • Backport deploy-base update from develop to release-31.x (upgrades JRE minor version, adds vim-tiny, less) (Issue NMS-15046)

  • Add KPI for Appliance count by model (Issue NMS-15051)

  • Velocloud plugin 1.0 is compatible with Meridian 2023 (Issue NMS-15138)

  • ALEC 3.0 is compatible with Meridian 2023 (Issue NMS-15139)

  • Cortex TSS plugin 2.0.1 is compatible with Meridian 2023 (Issue NMS-15140)

  • Cloud services connector plugin is compatible with Meridian 2023 (Issue NMS-15141)

  • Geo Map node groups should split into individual markers (Issue NMS-15150)

  • Distributed IPC mechanisms all work in Meridian 2023 (Issue NMS-15223)

  • Accessibility testing for rebranded Meridian 2023 UI (Issue NMS-15224)

  • Penetration testing for Meridian 2023 (Issue NMS-15225)

  • Meridian container images are signed (Issue NMS-15341)

  • Metadata DSL: Documentation for Metadata DSL updates (Issue NMS-15774)

  • Document change in login password behaviour (Issue NMS-15775)

  • Smoke test for Admin password change (Issue NMS-15866)

  • Admin Password Change: UX Review and Updates (Issue NMS-15867)

  • Admin Password Change: Merge to develop (Issue NMS-15868)

  • User is redirected to landing page after password change is done (Issue NMS-16036)

  • Use pinia instead of vuex in Vue UI (Issue NMS-16043)

  • Add pinia stores to UI but do not yet activate them (Issue NMS-16068)

  • Metadata DSL: Persist poller parameters as meta data (Issue NMS-16146)

  • Node structure: more query params (fs:fid, snmp, sys) (Issue NMS-16197)

  • Remove plugin 'opennms-cloud-plugin' from installation (Issue NMS-16219)

  • Geo Map: enable user-defined map to be the default one (Issue NMS-16229)

  • DOCS: Document Geographical Map user-defined map (Issue NMS-16230)

  • Add node-gyp to fix CircleCI build-ui errors (Issue NMS-16242)

  • News Feed: UI Panel and REST Service (Issue NMS-16282)

  • Web UI for User Data Collection (Issue NMS-16283)

  • User Data Collection: Database / Rest / CM work (Issue NMS-16284)

Epic

  • Publish container images to a container registry other than DockerHub (Issue NMS-15091)

  • Meridian 2023 release testing (Issue NMS-15137)

  • Visual differentiation of Meridian 2023 web UI versus Horizon 31 (Issue NMS-15265)

  • Opt-In User Data: Name, email and company Collection (Issue NMS-16279)

Sub-task

  • Installation of Meridian Minion, Sentinel, Core and Node. (Issue NMS-15388)

  • Minion routes traffic to Core. (Issue NMS-15389)

  • Sentinel offloads flows from Core. (Issue NMS-15405)

New Feature

  • Metadata DSL: VMware Integration (Issue NMS-15753)

  • Metadata DSL: WSMAN Integration (Issue NMS-15754)

  • Metadata DSL: TL1D Integration (Issue NMS-15755)

  • Metadata DSL: JMX Data-collection (Issue NMS-15756)

  • Metadata DSL: XML Data-collection (Issue NMS-15757)

  • Metadata DSL: HTTP/HTTPS Data-collection (Issue NMS-15758)

  • Metadata DSL: Notification Credentials (Issue NMS-15759)

  • Metadata DSL: Ticketer Plugins (Issue NMS-15760)

  • Metadata DSL: Trapd Configuration (Issue NMS-15761)

  • Metadata DSL: JCIFS Monitor (Issue NMS-15762)

  • Metadata DSL: IFTTT Configuration (Issue NMS-15763)

  • Metadata DSL: Repository Configuration (Issue NMS-15764)

  • Metadata DSL: [OPTIONAL] Consistent *-config.xml Configurations (Issue NMS-15765)

  • Metadata DSL: Evaluate feasability to support metadata in Drools rules (Issue NMS-15766)

  • Metadata DSL: Change default poller and collectd configuration files to reflect ability to use metadata (Issue NMS-16016)

  • Metadata DSL: snmp-config.xml & SNMP Profiles (Issue NMS-16028)

  • Metadata DSL: change default opennms-datasources.xml to reflect the possibility of using metadata (Issue NMS-16029)

  • OpenShift: Document the impact of disabling allowPrivilegeEscalation (Issue NMS-16239)

  • Update wording to Product Update Sign Up (Issue NMS-16352)