CVE-2015-0975

From OpenNMS
Jump to: navigation, search

All OpenNMS versions prior to 14.0.3 have been found vulnerable to an XXE attack, which can provide access to local filesystem data.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-0975 to this issue. This is an entry on the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Background

OpenNMS uses Castor for XML processing in RTC, the daemon responsible for tracking node/interface/service availability. Due to historical details of how RTC's data is displayed in the web UI, it would POST status data to a servlet using a username and password of rtc. While this password was meant to be configurable, the default username was rarely (if ever) changed in user installations, and due to bit rot it appears to no longer work in modern OpenNMS installations.


Castor is vulnerable to an XXE attack which can expose external entities in exception messages (CVE-2014-3004) and the RTC POST servlet exposes those exceptions upon error. It is possible for attackers to craft an RTC post which can reveal the contents of system files outside of OpenNMS.

Required Actions

Recommended: Upgrade to 14.0.3

It is strongly recommended that all users of OpenNMS upgrade to OpenNMS 14.0.3 (or later, if available).

OpenNMS 1.12 or Higher: Alter the Spring Security Configuration

If you cannot immediately upgrade, you should change the Spring Security context on OpenNMS 1.12 or higher by editing or replacing $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml, changing the "OpenNMS Realm" <http> section to use expressions which limit the IP address.

Sample replacements for the default spring security configuration files for OpenNMS 1.12.x and 14.x are available for download here. These sample files limit RTC POST access to connections from 127.0.0.1:

   <http pattern="/**" access-denied-page="/accessDenied.jsp" realm="OpenNMS Realm" use-expressions="true">
       ...
       <intercept-url pattern="/rtc/post/**" access="hasRole('ROLE_RTC') and hasIpAddress('127.0.0.1/32')"/>

Please remember that if you have modified this file for Single Sign On access via LDAP, Kerberos or some other service, you will need to carefully merge this in versus just replacing it. Please back up this file before making any changes, and you will need to restart OpenNMS.

OpenNMS Older than 1.12

For many reasons (not just security), we recommend upgrading to a newer version. However, if you MUST remain on an old OpenNMS version, we recommend putting OpenNMS behind a web proxy that will block the requests to /opennms/rtc/post/*. RTC will still be able to connect to jetty on 127.0.0.1, but the public-facing servlet exposure will be mitigated.