CyRC Vulnerability Advisory: CVE-2023-0871 Vulnerability in OpenNMS Horizon

Overview

The Black Duck Cybersecurity Research Center (CyRC) has discovered CVE-2023-0871, an XML external entity injection vulnerability, in OpenNMS Horizon.

OpenNMS is a Java language open source network monitoring platform. The OpenNMS platform monitors some of the largest networks in the Fortune 500, covering the healthcare, technology, energy, finance, government, education, retail, and industrial sectors, many with tens of thousands of networked devices.

OpenNMS comes in two open source distributions: Horizon (community release) and Meridian (enterprise release) with the AGPLv3 license. Additional components enhance the platform with distributed network monitoring (Minion), scalability (Sentinel), and scalable data persistence (Newts).

CVE-2023-0871

Due to a permissive XML parser configuration, the application is vulnerable to XML External Entity injection.

Exploitation

When sending a malicious HTTP request with XML payload, it is possible to exfiltrate files from the OpenNMS server file system or cause denial of service. The vulnerable HTTP endpoint requires user credentials for users with the role RTC.

Affected software

• OpenNMS Horizon 0.8 and earlier versions

Impact

Exploitation of this vulnerability would lead to

• Data leakage (XXE: blind local file inclusion)
• Denial of service
• Server-side request forgery (sending arbitrary HTTP requests to internal and external services)

CVSS Base Score: 8.8 (High)

CVSS 3.1 Vector:  AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

The data leakage is limited to textual files the application process is permitted to read, with one line of text.

Remediation

This vulnerability was fixed in the Horizon 32.0.2 and Meridian 2023.1.6 releases.