Changelog
Release Meridian-2023.1.7
Release 2023.1.7 contains a bunch of documentation updates, as well as a number of bug fixes and enhancements including improvements to the Karaf core startup, polling and node search fixes, IPv6 support in ILR, and a fix for loading the Cortex timeseries plugin.
The codename for Meridian 2023.1.7 is Zoot.
Bug
-
Intermittent error starting Telemetryd: No adapter found for class: org.opennms.netmgt.telemetry.protocols.netflow.adapter.netflow5.Netflow5Adapter (Issue NMS-15345)
-
Polling fails when rrd-status is set to true (Issue NMS-15806)
-
Provisioning policies do not apply (Issue NMS-16031)
-
null value in column "eventlog" PSQLException (Issue NMS-16048)
-
Prevent Invalid Node Filter Search from revealing SQL query (Issue NMS-16057)
-
Cortex-tss-plugin 2.0.1 does not work on v32 (Issue NMS-16104)
-
Update Instrumentation Log Reader to parse IPv6 addresses (Issue NMS-16114)
Release Meridian-2023.1.6
Release 2023.1.6 contains several important security fixes, one fix for a potential DOS vulnerability, and a handful of general bugfixes and enhancements.
Thanks to the following researchers for responsibly disclosing security issues in this release:
-
Moshe Apelbaum reported issue NMS-15699.
-
Jordi Miralles reported issues NMS-15703, NMS-15782, and NMS-15783.
-
OSS Fuzz reported issue NMS-15877.
The codename for Meridian 2023.1.6 is Snuffleupagus.
Breaking changes
-
This release removes the "3d" variation from the JFreeChart integration, because that style has been removed upstream.
Bug
-
Document the function hiding Meta-Data values with keynames containing "password" or "secret" (Issue NMS-12808)
-
Prevent Angular evaluation of strings enclosed by two curly braces in non-Angular form-fields and output (Issue NMS-15504)
-
backport fixes from Spring Security 5.x to custom Spring Security 4.2.20.RELEASE (Issue NMS-15663)
-
XXE injection via /rtc/post using the default rtc credentials (Issue NMS-15699)
-
ROLE_REST can be used to escalate to ROLE_ADMIN via /rest/users (Issue NMS-15703)
-
Requisition multi-threaded import is not optimal (Issue NMS-15776)
-
Stored XSS in multiple JSP files in opennms/opennms (Issue NMS-15782)
-
Reflected XSS in multiple JSP files in opennms/opennms (Issue NMS-15783)
-
POSTINSTALL scriptlet may fail if data/tmp/ is present but empty (Issue NMS-15809)
-
Kafka Producer incapable of using SSL (Issue NMS-15859)
-
CVEs for postgresql JDBC driver 42.2.18 (Issue NMS-15861)
-
Corrected Keystore setup instructions for minion on docker (Issue NMS-16017)
-
OpenNMS Search Bar does not retrieve nodes without foreignsource and foreignid (Issue NMS-16030)
-
Error on startup with Invalid CEN header exception (Issue NMS-16034)
Enhancement
-
Improve Kafka section of message broker docs in the deployment section (Issue NMS-15632)
-
Disable BeanShell interpreter remote server mode (Issue NMS-15793)
-
Include Node metadata in Measurement API query responses even if no resource data exists (Issue NMS-15839)
-
Extend filter syntax to include isSnmpPrimary (Issue NMS-15842)
-
Add docs to describe the default RRD storage retention (Issue NMS-16033)
Release Meridian-2023.1.5
Release 2023.1.5 contains several security fixes, a generous helping of other bug fixes, documentation improvements, and several small enhancements intended to improve supportability.
The codename for Meridian 2023.1.5 is Bunsen Honeydew.
Thanks to Erik Wynter for reporting several of the security issues fixed in this release.
Bug
-
Inconsistent references to JMXCollect/Monitor for "password-clear"/"password_clear" (Issue NMS-14884)
-
Database threads stuck idle_in_transaction (Issue NMS-15108)
-
Use UNKNOWN direction when not set in Netflow 9 or IPFIX template (Issue NMS-15134)
-
When upgrading Minion from an older version on RHEL based systems, the service file doesn’t point to the main installation, but rather to /etc/init.d/minion which doesn’t exist (Issue NMS-15600)
-
When upgrading Sentinel from an older version, the service file doesn’t point to the main installation, but rather to /etc/init.d/sentinel which doesn’t exist (Issue NMS-15601)
-
Minion connectivity config docs start the user in the wrong directory (Issue NMS-15618)
-
Docs need an update on what a Minion is able to do (Issue NMS-15620)
-
ROLE_FILESYSTEM_EDITOR can be used to escalate to ROLE_ADMIN via /opennms/rest/filesystem/contents?f=users.xml (Issue NMS-15702)
-
Authenticated XXE injection via the file editor (Issue NMS-15704)
-
Various corrections/clarifications needed in Sentinel install/configure docs (Issue NMS-15708)
-
https redirection is partially broken (Issue NMS-15732)
-
Setting scan interval to -1 results in an error (Issue NMS-15768)
-
Docs need updating to include support for Kafka 3 (Issue NMS-15777)
-
Add /usr/lib64/jvm to find-java.sh search paths (Issue NMS-15784)
-
Memory leak when using Groovy scripts in provisiond ScriptPolicy (Issue NMS-15798)
-
Polling fails when rrd-status is set to true (Issue NMS-15806)
-
Database deadlock triggered by NodeRestService (Issue NMS-15816)
Release Meridian-2023.1.4
Release 2023.1.4 contains one CVE-related security fix, a generous helping of other bug fixes, and several small enhancements intended to improve supportability.
The codename for Meridian 2023.1.4 is Zoot.
Breaking changes
-
This release has moved to a newer major version of Spring Security to address a number of CVEs, which necessitated changes to the
$OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml
file, so if you have modified this file in your installs, be sure to note your changes so you can reapply them to the updated version. -
The script
$OPENNMS_HOME/bin/install
checked whether$myser
equals$RUNAS
before sourcing$OPENNMS_HOME/etc/opennms.conf
, which caused startup to fail every time unless the script were run as root; if you have patched that file on your system, watch out for a.rpmsave
or.dpkg-new
file.
Enhancement
-
Codify code copyright conventions and guidelines (Issue NMS-13908)
-
Add diagnostic commands to Karaf shell for various internal schedulers (Issue NMS-14526)
-
Node Properties REST endpoint doesn’t include asset location data (Issue NMS-14785)
-
Add a method for finding and clearing alarms by TTicketID to OPA’s AlarmDAO (Issue NMS-15439)
-
Upgrade Spring Security (Issue NMS-15506)
-
Simplify the installation docs (Issue NMS-15518)
-
Docs: Add info about XSLT to XmlCollector (Issue NMS-15693)
-
Doc: Update DNS provisioning import adapter docs (Issue NMS-15694)
Bug
-
Fixing typo for event uei.opennms.org/internal/schedOutagesChanged (Issue NMS-15421)
-
Sentinels need local copy of thresholding config. (Issue NMS-15422)
-
Event Datetime element parsing changed between M2018 and M2021 (Issue NMS-15471)
-
Backshift graph’s Data tab shows incorrect / phantom data when using STACK (Issue NMS-15495)
-
Status Overview box calculation included the alarms and outages from nodes outside of the assigned categories (Issue NMS-15526)
-
install script checks for equality of myuser and RUNAS before sourcing opennms.conf (Issue NMS-15610)
-
send-events-to-elasticsearch karaf command passes username/password in reverse (Issue NMS-15638)
-
SCV passwords visible unredacted in Karaf (Issue NMS-15640)
-
Meridian Minion 2023 and 2022 installation docs for RHEL 8/9 use the repo URL for 2021/rhel8 (Issue NMS-15665)
-
Doc: File name syslog-grok-patterns.txt is wrong (Issue NMS-15684)
-
Stop packaging activemq-web-console.war (Issue NMS-15686)
-
Database deadlock caused by JdbcFilterDao (Issue NMS-15696)
-
Karaf SSH locks up if connections are terminated improperly (Issue NMS-15714)
Release Meridian-2023.1.3
Relase 2023.1.3 contains four security vulnerability fixes and a generous helping of other bug fixes. It also updates the plugin host to the latest version, and includes a few small enhancements to the startup scripts and other components.
The codename for Meridian 2023.1.3 is Beaker.
Bug
-
POW Arithmetic Operator Does not work with Backshift Graphing Engine (Issue NMS-14779)
-
Cacheable HTTPS Responses - Cache Control Directive Missing or Misconfigured (Issue NMS-14936)
-
Plaintext Password Present in the Web logs (Issue NMS-15305)
-
Stored XSS on Quick-Add Node (Issue NMS-15308)
-
Adding new thresholds to an existing group often throws an IndexOutOfBoundsException (Issue NMS-15334)
-
Geographical Map map search capability is not as described in the docs (Issue NMS-15426)
-
A small typo in plugin.sh prevents artifacts from GitHub to be included in containers (Issue NMS-15592)
-
Foundation-2020: Snmp4JValueFactory: getOctetString displayable should be true (Issue NMS-15599)
-
Syslog Northbounder maxMessageSize config option is not used (Issue NMS-15606)
-
Jetty CVE-2023-26048/CVE-2023-26049 (Issue NMS-15612)
-
Update to latest groovy 2.x (Issue NMS-15633)
-
$OPENNMS_HOME/etc/THIRD-PARTY.txt has gone missing with Horizon 31.0.6 and onwards (Issue NMS-15636)
-
SNMPv3 support for AES256 appears broken (Issue NMS-15637)
New Feature
-
Add a CLI mechanism to set the admin password (Issue NMS-15221)
Release Meridian-2023.1.2
Release 2023.1.2 contains a bunch of bug fixes, along with fixes for several security vulnerabilities.
The codename for Meridian 2023.1.2 is Count von Count.
Bug
-
DOC: Document Newts fetch step / heartbeat settings in opennms.properties (Issue NMS-10155)
-
Document the function hiding Meta-Data values with keynames containing "password" or "secret" (Issue NMS-12808)
-
Scriptd consumes CPU even when it does nothing (Issue NMS-13216)
-
dependabot: upgrade Apache POI to at least 4.1.1 (CVE-2019-12415) (Issue NMS-14589)
-
POW Arithmetic Operator Does not work with Backshift Graphing Engine (Issue NMS-14779)
-
Multiple CVEs for cxf 3.2.8 (Issue NMS-15065)
-
The management of alarms (escalation, and acknowledge) on the new MAP UI does not work for user without ROLE_REST. (Issue NMS-15080)
-
Concurrent requests to rrd summary endpoint fails (Issue NMS-15086)
-
Statistics Reports → Export Excel fails with exception (Issue NMS-15148)
-
No health check for the OpenNMS Core container (Issue NMS-15291)
-
Missing Security Headers (Issue NMS-15302)
-
Stored XSS On-Call Roles (Issue NMS-15307)
-
Stored XSS on Quick-Add Node (Issue NMS-15308)
-
[Web] - Session Fixation/Misconfigured Session Cookie Implementation (Issue NMS-15310)
-
Inconsistent expectations on TimeseriesStorageManager.get() with null return values (Issue NMS-15323)
-
The various SNMP extenders to not work with ifIndex-indexed resources (Issue NMS-15342)
-
SNMP Interfaces Endpoint returns multiple values [duplicates] when there are multiple "IP Interfaces" pointing to same SNMP-IfIndex "ipAdEntIfIndex". (Issue NMS-15352)
-
Missing XML Validation in Apache Xerces2 (Issue NMS-15373)
-
Adding or editing a schedule outage doesn’t reload the configuration for Threshd (Issue NMS-15420)
-
M2022 Minions > 2022.1.8 Cannot use SCV credentials (Issue NMS-15450)
-
Event Datetime element parsing changed between M2018 and M2021 (Issue NMS-15471)
-
Minimum system requirements does not enumerate RHEL9 support (Issue NMS-15499)
-
Cortex plugin has no LICENSE.md (Issue NMS-15521)
-
upgrade Xalan to 2.7.3 (CVE-2022-34169) (Issue NMS-15578)
Story
-
Distributed IPC mechanisms all work in Meridian 2023 (Issue NMS-15223)
Unexpected Behavior
-
Following cross-site links logs out current session (Issue NMS-15320)
Release Meridian-2023.1.1
Release 2023.1.1 is a bugfix release that also incorporates several documentation improvements, upgrades a couple of library dependencies, and improves how plugins are included in the container images.
The codename for Meridian 2023.1.1 is Cookie Monster.
Enhancement
-
Replace wiki links across all codebase (Issue NMS-13912)
-
dependabot: mockito 3.4.6 to 4.6.1 (Issue NMS-14586)
-
DOC: Timeseries Documentation (Issue NMS-14959)
-
DOC: Configuration Manager API for External Requisitions is not documented (Issue NMS-15019)
-
Update dual write docs to clarify configuration (Issue NMS-15425)
-
PersistRegexSelectorStrategy is not where the docs say it should be (Issue NMS-15461)
Bug
-
Form Can Be Manipulated with Cross-Site Request Forgery (CSRF) (Issue NMS-14865)
-
Minion on Ubuntu fails to start (Issue NMS-15160)
-
Upgrade HikariCP to 5.x (Issue NMS-15171)
-
Docs: The "Housekeeping Tasks" page should not tell the user to always run fix-karaf-setup.sh on upgrade (Issue NMS-15296)
-
Elevation on Feather nav bar header casts undesirable shadow (Issue NMS-15367)
-
Docs: Update path reference for PostgreSQL config files (Issue NMS-15381)
-
opennms-karaf-health is not last in featuresBoot — might miss status for a few features (Issue NMS-15407)
-
Invalid syntax due to typo in provisiond snmp graph (Issue NMS-15434)
Task
-
Number examples in service monitor chapters (Issue NMS-15215)
-
Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)
-
Move the logic for downloading plugins into the Dockerfile (Issue NMS-15401)
-
Disable DEBs packages for Meridian 2023 (Issue NMS-15412)
Epic
-
Visual differentiation of Meridian 2023 web UI versus Horizon 31 (Issue NMS-15265)
Release Meridian-2023.1.0
Release 2023.1.0 is the first of the Meridian 2023 series, based on Horizon 31 and incorporating work done in that series and in Horizon 30.
This new major-version release introduces several breaking changes (see below).
Breaking Changes
-
The
GpDetector
andScriptPolicy
now require that their scripts be located beneath$OPENNMS_HOME
and beneath$OPENNMS_HOME/etc/script-policies
, respectively. If you are using either of these classes in your foreign-source definitions, please address this requirement before upgrading to this release. -
The OpenNMS Plugin API (OPA) has been updated to 1.3.0. OPA plugins intended to run in Meridian 2023.1.0 must implement version 1.0.0 or higher.
-
The
provisiond-configuration.xml
file has been replaced with a new implementation based on the new configuration management API, which resides outside the filesystem. See What’s New in Meridian 2023 for more information. -
Meridian Docker images are now based on a minimal install of Ubuntu, rather than CentOS. Symlinks are provided to match the old paths in /opt, but it’s possible you will run into subtle differences when transitioning.
-
The
org.opennms.netmgt.collectd.strictInterval
setting now defaults to true. See What’s New in Meridian 2023 for more information.
Known issues
The following known issues impact Meridian 2023.1.0; we expect all to be fixed in the next micro-version release:
-
Regular users are unable to acknowledge or clear alarms from the geographical map’s integrated alarm browser. Until we identify a fix, it is possible to work around this problem by adding
ROLE_REST
to a user’s set of assigned roles. See NMS-15080 for details. Thanks to Ricardo Monteiro for bringing this problem to our attention. -
On systems where dual-write time series persisting is enabled, an intermittent startup problem may cause either a delay in data starting to be persisted, or a hard failure necessitating a restarting of the core. See NMS-15326 for details.
-
The ALEC plugin currently cannot be successfully installed on a Sentinel node. At release time, it is unclear whether the problem lies in Sentinel or in ALEC. Some details are captured in NMS-15396.
Shout-outs
-
Thanks to researcher Baharuddin Zulkifli of NetbyteSEC for reporting several cross-site scripting vulnerabilities.
-
Thanks to researcher Stefan Schiller of SonarSource for reporting a pair of authenticated command-injection vulnerabilities.
-
Thanks to Ricardo Monteiro for bringing the geo-map alarms problem NMS-15080 to our attention.
The codename for Meridian 2023.1.0 is Kermit the Frog.
Enhancement
-
Remove image-related defaults from Docker container makefile (Issue NMS-13583)
-
Add documentation for SELinux as a requirement to run OpenNMS (Issue NMS-14210)
-
Include Minion version on "Manage Minions" page (Issue NMS-14493)
-
Dependabot: leaflet from 1.7.1 to 1.8.0 (Issue NMS-14584)
-
Error compiling Cisco MIB (Issue NMS-14640)
-
Make the cloud connect plugin available in container images (Issue NMS-15012)
-
Data collection and graph definitions for provisiond performance (Issue NMS-15018)
-
Update docs to include RHEL 9 install instructions (Issue NMS-15147)
-
Test and Document Support for PostgreSQL 15 (Issue NMS-15151)
-
Make the ALEC plugin available in container images (Issue NMS-15349)
-
Make the Cortex TSS plugin available in container images (Issue NMS-15350)
-
Smoke test improvements and small tweaks to help developers (Issue NMS-15387)
Task
-
Geo Map: Add content to the map marker pop up (Issue NMS-13698)
-
Uncontrolled Resource Consumption in Jackson-databind (Issue NMS-15030)
-
CVE in Jolokia 1.3.3 dependency (Issue NMS-15068)
-
CVE-2021-37714 for jsoup (multiple versions) (Issue NMS-15069)
-
Vulnerable JUnit dependency (Issue NMS-15074)
-
RHEL9 installation documentation tab (Issue NMS-15079)
-
Document deviceconfig tftp maximumReceiveSize (Issue NMS-15121)
-
Add flow version table to Flow Introduction (Issue NMS-15158)
-
Change OpenNMS Copyright from 2022 to 2023 (Issue NMS-15211)
-
Change OpenNMS Copyright from 2022 to 2023 in the documentation footer (Issue NMS-15212)
-
JAVA_KEYALIAS Variable needs to be updated (Issue NMS-15239)
-
JAVA_KEYSTORE Variable needs to be updated (Issue NMS-15240)
-
JAVA_STOREPASS Variable needs to be updated (Issue NMS-15241)
-
Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)
-
Release notes / wart: ALEC not installable on M2023.1.0 / H31.0.4 Sentinel (Issue NMS-15403)
-
Release notes / wart: dual-write TS delay on startup (Issue NMS-15404)
-
Release notes / wart: Geo map alarms and ROLE_REST (thank Ricardo Monteiro for the report) (Issue NMS-15406)
Bug
-
Missing /run/opennms on Ubuntu (Issue NMS-14650)
-
RRD persistence with default configs in our Horizon OCI points to wrong libjrrd2.so (Issue NMS-14778)
-
Chrome/Edge Web Browser : Geographical Map Node Counters are wrong (Issue NMS-14792)
-
OpenNMS opennms start fails on Ubuntu (Issue NMS-14838)
-
Multiple stored and reflected XSS in webapp (Issue NMS-14854)
-
horizon.oci contains more than one container image (Issue NMS-14896)
-
Regression: install script fails if an OpenNMS directory contains root-owned lost+found directory (Issue NMS-14919)
-
Form Resubmission From Cache (Issue NMS-14933)
-
XML Entity Expansion Injection in geolocation API (Issue NMS-14988)
-
Remove reference to remote pollers (Issue NMS-15017)
-
RHEL9/CentOS9/Rocky 9 need chkconfig package to enable service properly (Issue NMS-15093)
-
Default limit of 10 is not working for event queries (Issue NMS-15123)
-
Flows adapters don’t start on Sentinel running as a container. (Issue NMS-15161)
-
Jetty context startup failures are not clearly communicated to the user (Issue NMS-15179)
-
CVE-2017-7504 for javassist 3.18.2-ga and 3.19.0-ga (Issue NMS-15191)
-
CVE-2017-7504 for jboss-logging 3.1.0.cr2 (Issue NMS-15192)
-
CVE-2014-2228 for org.restlet 1.1.10 (Issue NMS-15193)
-
CVE-2019-13990 for quartz 2.2.3 (Issue NMS-15194)
-
CVE-2022-45047 for sshd-sftp 2.5.1 (Issue NMS-15195)
-
CVE-2021-21342 and 7 others for xstream 1.4.11.1 (Issue NMS-15196)
-
CVE-2014-9970 for jasypt 1.9.0 (Issue NMS-15197)
-
CVE-2021-33813 for jdom2 2.0.6 (Issue NMS-15198)
-
CVE-2022-40149 and CVE-2022-40150 for jettison 1.3.8 (Issue NMS-15199)
-
CVE-2016-5725 for jsch 0.1.51 (Issue NMS-15200)
-
CVE-2022-3171 for protobuf-java 3.16.1 (Issue NMS-15201)
-
CVE-2018-17187 for proton-j 0.14.0 (Issue NMS-15202)
-
CVE-2017-15288 and CVE-2020-7907 for scala-library 2.11.0 and 2.12.12 (Issue NMS-15203)
-
CVE-2020-13936 for velocity 1.7 (Issue NMS-15204)
-
CVE-2020-11988 for xmlgraphics-commons 1.4 (Issue NMS-15205)
-
Update docs TOC to include missing notification commands file (Issue NMS-15266)
-
Meridian 2023 old UI pages have Horizon Logo (Issue NMS-15281)
-
NPE in karaf.log when parallel TSDB writes enabled (Issue NMS-15282)
-
Poor contrast in navigation menu of OG UI (Issue NMS-15283)
-
Styling of Feather / Vue UI in Meridian does not match OG UI (Issue NMS-15284)
-
Stealing Cookies using Reflected XSS via graph results (Issue NMS-15292)
-
Sanitize request parameters in outage/list.htm (Issue NMS-15294)
-
Plaintext Password Present in the Web logs (Issue NMS-15305)
-
Upgrade Apache Kafka Dependency Beyond 3.2.0 (Issue NMS-15317)
-
RingBufferTimeseriesWriter.destroy can take a long time or hang due to BlockingServiceLookup.lookup in WorkProcessors (Issue NMS-15324)
-
Dead transaction in flow thresholding on sentinel (Issue NMS-15340)
-
Regular requisition editor empty state incorrectly names external requisitions (Issue NMS-15347)
-
When we fail to start up, we don’t exit with a non-zero exit code so failures cannot be properly reflected in containers (Issue NMS-15386)
-
ALEC plugin dependency update (Issue NMS-15391)
Story
-
Revive PoweredBy section in new docs (Issue NMS-14703)
-
Modify foreign source in HeartbeatConsumer to ignore docker interfaces and detect SNMP agent (Issue NMS-14855)
-
SNMP Community retrieval through SCV on Minion (Issue NMS-15008)
-
Add JSON support (in additional to GBP) to the Kafka producer for flows (Issue NMS-15027)
-
Backport deploy-base update from develop to release-31.x (upgrades JRE minor version, adds vim-tiny, less) (Issue NMS-15046)
-
Add KPI for Appliance count by model (Issue NMS-15051)
-
Velocloud plugin 1.0 is compatible with Meridian 2023 (Issue NMS-15138)
-
ALEC 3.0 is compatible with Meridian 2023 (Issue NMS-15139)
-
Cortex TSS plugin 2.0.1 is compatible with Meridian 2023 (Issue NMS-15140)
-
Cloud services connector plugin is compatible with Meridian 2023 (Issue NMS-15141)
-
Geo Map node groups should split into individual markers (Issue NMS-15150)
-
Distributed IPC mechanisms all work in Meridian 2023 (Issue NMS-15223)
-
Accessibility testing for rebranded Meridian 2023 UI (Issue NMS-15224)
-
Penetration testing for Meridian 2023 (Issue NMS-15225)
-
Meridian container images are signed (Issue NMS-15341)