Patch Now: OpenNMS Bug Steals Data, Triggers Denial of Service

Monitoring platform is trusted by Cisco, Savannah River Nuclear Solutions, and others in CISAs critical infrastructure Sectors, say Synopsys researchers.

Maintainers of OpenNMS patched a high-severity vulnerability in both the community-supported and subscription-based versions of the widely used open source network monitoring software.
The XML external entity (XXE) injection vulnerability gives attackers a way to exfiltrate data from the OpenNMS file server system, send arbitrary HTTP requests to internal and external services, and trigger denial-of-service conditions on affected systems.
Researchers from Synopsys discovered the vulnerability in June and reported it to the maintainers of OpenNMS, who released a patch last week.

CVE-2023-0871
impacts both Meridian and Horizon, the subscription-based and community-supported, respectively, versions of the OpenNMS network monitoring platform, says Ben Ronallo, vulnerability management engineer for Synopsys. This platform is trusted by companies like Cisco, GigaComm, Savannah River Nuclear Solutions (SRNS), as well as others in
CISAs Critical Infrastructure Sectors
, he adds.
Organizations use OpenNMS to monitor their local and distributed networks for a variety of uses, including performance management, traffic monitoring, fault detection, and alarm generation. The Java-based platform supports the monitoring of both physical and virtual networks, applications, servers, business performance indications, and custom metrics.
The free version of OpenNMS Horizon is a community-driven project that includes many of the same features as the subscription-based OpenNMS Meridian version. However, it lacks the support and easier release and update cycles available with the subscription version.
According to Synopsys
, CVE-2023-0871 stems from a permissive XML parser configuration that makes the parser prone to XML external entity attacks. An
XML parser configuration is permissive
if, for example, it allows external files and URLs to be referenced within XML. XXE vulnerabilities, like those discovered by Synopsys, allow an attacker to essentially interfere with an applications processing of XML data.
CVE-2023-0871 is an XXE injection attack, which leverages the default credentials for the Realtime Console (RTC) REST API, Ronallo says. This attack modifies trusted XML data by anticipating how the data is processed. This enables an attacker to potentially compromise other physical and/or virtual systems, view files on the system running the vulnerable app, or make HTTP requests to other systems via Server-Side Request Forgery (SSRF), he notes.
The OpenNMS project
described the vulnerability
as affecting OpenNMS Horizon 31.0.8 and versions prior to 32.0.2 on multiple platforms. The maintainers of the project urged organizations using affected versions of the software to update to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38, or Horizon 32.0.2 or newer. The alert reminded organizations not to make OpenNMS directly accessible over the Internet and to ensure that it is installed and used only with an organizations internal network.
Assuming users of the platform adhere to OpenNMS recommendation to only install within private networks, the likelihood of this attack succeeding is reduced to malicious insiders, Ronallo says. This could include a compromised user or a disgruntled employee. However, if successfully exploited, this vulnerability could lead to system compromise.
CVE-2023-0871 is one of several vulnerabilities that researchers have uncovered in OpenNMS so far this year. Among the more serious of them are
CVE-2023-0870
, a cross-site request forgery issue with a CVSS score of 8.1, and present in multiple versions of OpenNMS Horizon and Meridian and
CVE-2023-0846
, an unauthenticated, cross-site scripting vulnerability in both OpenNMS versions.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Patch Now: OpenNMS Bug Steals Data, Triggers Denial of Service