OpenNMS Meridian Release Notes

login.jsp page is still visible/accessible after being authenticated by pre-authentication (Issue NMS-14078)

Prevent Angular evaluation of strings enclosed by two curly braces in non-Angular form-fields and output (Issue NMS-15504)

Polling fails when rrd-status is set to true (Issue NMS-15806)

Back-port Angular evaluation prevention in non-Angular fields to foundation-2020 (Issue NMS-16052)

Update Instrumentation Log Reader to parse IPv6 addresses (Issue NMS-16114)

backport fixes from Spring Security 5.x to custom Spring Security 4.2.20.RELEASE (Issue NMS-15663)

ROLE_REST can be used to escalate to ROLE_ADMIN via /rest/users (Issue NMS-15703)

Stored XSS in multiple JSP files in opennms/opennms (Issue NMS-15782)

Reflected XSS in multiple JSP files in opennms/opennms (Issue NMS-15783)

protobuf-java has a potential Denial of Service issue (Issue NMS-15877)

Error on startup with Invalid CEN header exception (Issue NMS-16034)

Disable BeanShell interpreter remote server mode (Issue NMS-15793)

Inconsistent references to JMXCollect/Monitor for "password-clear"/"password_clear" (Issue NMS-14884)

Database deadlock caused by JdbcFilterDao (Issue NMS-15696)

https redirection is partially broken (Issue NMS-15732)

Add /usr/lib64/jvm to find-java.sh search paths (Issue NMS-15784)

Polling fails when rrd-status is set to true (Issue NMS-15806)

Verify which .properties files in $OPENNMS_HOME/etc/ should be overwritten by upgrade (Issue NMS-15430)

This release has moved to a newer major version of Spring Security to address a number of CVEs, which necessitated changes to the $OPENNMS_HOME/jetty-webapps/opennms/WEB-INF/applicationContext-spring-security.xml file, so if you have modified this file in your installs, be sure to note your changes so you can re-apply them to the updated version.

Invalid redirect when behind a reverse proxy (Issue NMS-14805)

Events and alarms search return error 405 POST method not allowed (Issue NMS-15031)

Fixing typo for event uei.opennms.org/internal/schedOutagesChanged (Issue NMS-15421)

Event Datetime element parsing changed between M2018 and M2021 (Issue NMS-15471)

Backshift graph’s Data tab shows incorrect / phantom data when using STACK (Issue NMS-15495)

install script checks for equality of myuser and RUNAS before sourcing opennms.conf (Issue NMS-15610)

send-events-to-elasticsearch karaf command passes username/password in reverse (Issue NMS-15638)

backport spring-security updates from NMS-15506 to Meridian 2020 (Issue NMS-15662)

Doc: File name syslog-grok-patterns.txt is wrong (Issue NMS-15684)

Stop packaging activemq-web-console.war (Issue NMS-15686)

Multiple CVEs for Axis 1.4 (Issue NMS-15061)

Bring back URL deep-linking (Issue NMS-15414)

backport event search fixes (NMS-12517 and NMS-14918) to foundation-2020 (Issue NMS-15679)

POW Arithmetic Operator Does not work with Backshift Graphing Engine (Issue NMS-14779)

Cacheable HTTPS Responses - Cache Control Directive Missing or Misconfigured (Issue NMS-14936)

Plaintext Password Present in the Web logs (Issue NMS-15305)

Syslog Northbounder maxMessageSize config option is not used (Issue NMS-15606)

Jetty CVE-2023-26048/CVE-2023-26049 (Issue NMS-15612)

update to latest groovy 2.x (Issue NMS-15633)

$OPENNMS_HOME/etc/THIRD-PARTY.txt has gone missing with Horizon 31.0.6 and onwards (Issue NMS-15636)

Enable AmbientCapabilities=CAP_NET_RAW CAP_NET_BIND_SERVICE in shipped opennms.service systemd file (Issue NMS-15596)

Scriptd consumes CPU even when it does nothing (Issue NMS-13216)

dependabot: upgrade Apache POI to at least 4.1.1 (CVE-2019-12415) (Issue NMS-14589)

POW Arithmetic Operator Does not work with Backshift Graphing Engine (Issue NMS-14779)

Multiple CVEs for cxf 3.2.8 (Issue NMS-15065)

Concurrent requests to rrd summary endpoint fails (Issue NMS-15086)

Statistics Reports → Export Excel fails with exception (Issue NMS-15148)

Cross-Site Scripting (XSS) Stored on User List (Issue NMS-15306)

Missing XML Validation in Apache Xerces2 (Issue NMS-15373)

Adding or editing a schedule outage doesn’t reload the configuration for Threshd (Issue NMS-15420)

Event Datetime element parsing changed between M2018 and M2021 (Issue NMS-15471)

upgrade Xalan to 2.7.3 (CVE-2022-34169) (Issue NMS-15578)

Vulnerable c3p0 0.9.1.1 packaged in Meridian 2021 (Issue NMS-15072)

re-enable license maven plugin as a separate job (Issue NMS-15572)

Upgrade ActiveMQ to 5.15 (Issue NMS-12089)

The Info ReST endpoint is not showing the services status (Issue NMS-13437)

Form Can Be Manipulated with Cross-Site Request Forgery (CSRF) (Issue NMS-14865)

smoke test failure: Expected to see "opennms" but got "meridian" (Issue NMS-15468)

Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)

PersistRegexSelectorStrategy is not where the docs say it should be (Issue NMS-15461)

The GpDetector and ScriptPolicy now require that their scripts be located beneath $OPENNMS_HOME and beneath $OPENNMS_HOME/etc/script-policies, respectively. If you are using either of these classes in your foreign-source definitions, please address this requirement before upgrading to this release.

Support for JNLP (aka Java Web Start) for the remote poller has been removed. If you are still using the remote poller, which is long deprecated and unsupported, and has been removed entirely from Meridian 2022 and later releases, you may be able to move from JNLP to the command-line implementation.

Thanks to researcher Baharuddin Zulkifli of NetbyteSEC for reporting several cross-site scripting vulnerabilities.

Thanks to researcher Stefan Schiller of SonarSource for reporting a pair of authenticated command-injection vulnerabilities.

The release notes for Meridian-2020.1.31 incorrectly stated that NMS-15124 was fixed in that release. In actual fact, the fix is in this release (Meridian-2020.1.32).

Multiple stored and reflected XSS in webapp (Issue NMS-14854)

Authenticated Command Injection in GpDetector and ScriptPolicy (Issue NMS-14878)

reloading BSM daemon causes the state of serviceProblem alarm to be reset (Issue NMS-15124)

Plaintext Password Present in the Web logs (Issue NMS-15305)

JAVA_KEYALIAS Variable needs to be updated (Issue NMS-15239)

JAVA_KEYSTORE Variable needs to be updated (Issue NMS-15240)

JAVA_STOREPASS Variable needs to be updated (Issue NMS-15241)

Document the breaking changes done as part of Limit script file locations for GpDetector and ScriptPolicy (Issue NMS-15288)

remove remote-poller-jnlp (Issue NMS-15343)

reloading BSM daemon causes the state of serviceProblem alarm to be reset (Issue NMS-15124)

Change OpenNMS Copyright from 2022 to 2023 (Issue NMS-15211)

RPM packages fail to install when FIPS Enabled (Issue NMS-14628)

Form Autocomplete Attribute Not Set (Issue NMS-14934)

Cookie Attribute - SameSite Attribute Missing or Misconfigured (Issue NMS-14937)

opennms rpm could get wrong jetty files (Issue NMS-15043)

Unexpected interfaceDown event/alarm during a scheduled outage (Issue NMS-14695)

Duplicate V3 trap security names causing spurious errors on non V3 traps (Issue NMS-14718)

Kafka Producer NPE causes collection failure overall (Issue NMS-14740)

Reflected XSS (PB-2022, Aug 2022) (Issue NMS-14713)

Browser-Specific XSS (PB-2022, Aug 2022) (Issue NMS-14714)

Form Can Be Manipulated with Cross-Site Request Forgery (CSRF) (Issue NMS-14716)

Session Cookie (Authentication Related) Does Not Contain The "HTTPOnly" Attribute (Issue NMS-14717)

change or remove how Docker SSH keys are generated (Issue NMS-14643)

Graph page doesn’t escape <> in resource labels (Issue NMS-14657)

PassiveStatusd (Issue NMS-8567)

Provisiond (Issue NMS-8569)

Please update the copyright year on the docs page! (Issue NMS-13911)

Upgrade dom4j to latest version (Issue NMS-14696)

Change OIA name to OpenNMS Plugin API (Issue NMS-14475)

Migrate Notification wiki pages into docs (Issue NMS-13584)

show-event-config displays unexpected content after adding new event definitions (Issue NMS-12863)

Clearing an alarm brings alarm not found message (Issue NMS-12981)

JVM MemoryPool data collection not working (Issue NMS-14041)

WebMonitor does not track the response time (Issue NMS-14535)

Spring Framework CVE-2022-22950 Remediation (Issue NMS-14568)

simplify assembly tarballs (Issue NMS-14572)

Correct Grammar in Notices Box (Issue NMS-12355)

Link in ERROR log doesn’t exist (Issue NMS-13956)

RRD file parsing failed with newts-repository-converter (Issue NMS-14079)

Heatmap drill down does not show any alarms/outages (Issue NMS-14243)

Notification with Destination Path and Group, Interval Delay doesnt show (Issue NMS-14403)

event nodeCategoryMembershipChanged should be more verbose (Issue NMS-10634)

Add support for pre-authorization via HTTP header (to be used with pre-authentication) (Issue NMS-14059)

upgrade JNA to 5 (Issue NMS-14417)

[Web] - WebServer Fingerprinting (Issue NMS-13987)

Telemetryd does not shut down gracefully (Issue NMS-14003)

Exception when searching assets (Issue NMS-14240)

Remove "Commercial Support" ticket lookup from web ui support section (Issue NMS-14280)

Circle ci caching OIA issue (Issue NMS-14291)

Kafka-Producer Alarm Resync Failing Post Entire Kafka Cluster Outage (Issue NMS-14321)

CVE-2022-22965: Spring RCE in Data Bindings (Issue NMS-14134)

Upgrade groovy-all dependency (Issue NMS-14208)

make sure license-maven-plugin is re-enabled in foundation and release branches (Issue NMS-14217)

Upgrade jackson-mapper-asl dependency (Issue NMS-14252)

Resolve SonarCloud High priority Security Hotspots (Issue NMS-14002)

Scriptd helpers ignore community setting (Issue NMS-14045)

Wrong wiki URL in debian installer (Issue NMS-14053)

Switch to using a java e-mail library instead of system mail (Issue NMS-14015)

Misspelling in SystemExecuteMonitor error text (Issue NMS-14091)

relicense rancid-api to LGPL, change dependency to match (Issue NMS-14093)

OpenNMS points to the wrong URL when trying to generate graphs (Issue NMS-14057)

opennms user credentials wrongly exposed (Issue NMS-12146)

Support → System Report exposes credentials in plain text (Issue NMS-13831)

Cross site scripting - Reflected (Issue NMS-13835)

Password field with autocomplete enabled (Issue NMS-13847)

Web UI copyright year needs updating (Issue NMS-14037)

Releases should document third party libraries and their licenses (Issue NMS-14004)

config-tester doesn’t find malformed resourceTypes (Issue NMS-13723)

Event configuration UI fails to persist logmsg dest changes (Issue NMS-13729)

Outdated javascript library (Issue NMS-13848)

grafana endpoint can be used to port-scan internal resources (Issue NMS-13917)

Minion fails to marshall requisition with JAXB error: Class [org.opennms.netmgt.model.PrimaryTypeAdapter] not found (Issue NMS-13927)

Unsynchronized access to service factories in TelemetryServiceRegistryImpl (Issue NMS-13961)

Upgrade protobuf-java version (Issue NMS-13889)

Customer is not able to view Topology (Issue NMS-13851)

CVE-2021-45105: Update to Log4j 2.17.0 (Issue NMS-13868)

upgrade to log4j2 2.17.1 and pax-logging 1.11.13/2.0.14 (Issue NMS-13878)

CVE-2021-45046: incomplete Log4j2 vulnerability mitigation (Issue NMS-13858)

Log4j2 0-day: CVE-2021-44228 (Issue NMS-13850)

Authorization changes not taking immediate effect (Issue NMS-13761)

CVE-2021-28164: access to WEB-INF (Issue NMS-13832)

Support multiple auth params for same SNMPV3 username (Issue NMS-13490)

The node and interface counters of the Evaluation Layer are incorrect (Issue NMS-13283)

EvaluationMetrics.log is contaminated with non-related metrics. (Issue NMS-13284)

Reflected XSS in webapp notice wizard (Issue NMS-13496)

macOS Monterey: older OpenNMS branches do not start anymore (Issue NMS-13703)

related events box in alarm detail shows all events when alarm has no node / interface / service / ifindex (Issue NMS-13705)

Incorporate node related information to events and alarms topic in opennms-kafka-producer feature (Issue NMS-12778)

Support multiple auth params for same SNMPV3 username (Issue NMS-13490)

Show Link State when viewing links on the Enlinkd topology maps (Issue NMS-13619)

Signed Minion container bleeding image shows revision as meridian-foundation-2021.1.4-1-487 (Issue NMS-13587)

missing fields in search autocomplete (Issue NMS-13518)

Syslog messages missing nodelabel, location, and interface (Issue NMS-13485)

Bump Apache Ant version to 1.10.11 (CVE-2021-36373, CVE-2021-36374) (Issue NMS-13509)

OutOfMemory issue on Minion (corner case related to Offheap) (Issue NMS-13405)

Jetty 9.4.38 security issues CVE-2021-28164, CVE-2021-34428 and CVE-2021-28169 (Issue NMS-13449)

Reflected XSS in webapp notice wizard (Issue NMS-13496)

Reflected XSS in scheduled outage editor (Issue NMS-13498)

Incorporate node related information to events and alarms topic in opennms-kafka-producer feature (Issue NMS-12778)

CVE-2020-13956: Update commons-httpclient to 4.5.13 (Issue NMS-13360)

CVE-2017-5929: bump logback-classic version to latest (Issue NMS-13361)

IP interface link in Response Time graph page is broken (Issue NMS-13158)

Got Access Denied when viewing On-Call Role schedule (Issue NMS-13287)

Validate query parameters in snmpInterfaces.jsp (Issue NMS-13308)

Validate name parameter in DestinationWizardServlet (Issue NMS-13309)

Incorrect reference to org.opennms.netmgt.syslog.cfg (Issue NMS-13223)

Location aware Requisitions from DNS (Issue NMS-13278)

Not possible to define notification parameters via "Configure notifications" UI (Issue NMS-8581)

Race condition on ALEC’s config bundle after installation (Issue NMS-12766)

Reflected XSS reported 2021-03-31 (update summary after disclosure) (Issue NMS-13229)

vmware integration connection pool not expiring connections (Issue NMS-13234)

Cleared alarms with closed ticket state not removed when using a hybrid approach (Issue NMS-13237)

Sidebar navigation on the graph results page is not working (Issue NMS-13259)

Time zone is handled different on Minion container image based on Ubuntu (Issue NMS-13276)

Apache Commons IO Security Update: CVE-2021-29425 (Issue NMS-13279)

Change Jetty default settings to eliminate TLS 1.0 and TLS 1.1 support (Issue NMS-10256)

Wrong UEI is picked when threshold alarms are generated (Issue NMS-13120)

XSS in notification wizard (Issue NMS-13123)

Generate Data collection throws error message "There is a group with same name, please pick another one" under MIB browser (Issue NMS-13143)

'Links on interface' table was missing for interface under node list (Issue NMS-13145)

Regular Expression field textbox greyed out for other Events except 'REGEX_FIELD' under Event notifications (Issue NMS-13149)

Query Regarding saving a filter URL with more than 255 characters in events ILP (Issue NMS-13152)

Kafka producer uses resource name instead of ifIndex as the instance for InterfaceLevelResource (Issue NMS-13185)

The behavior of the Ticketing API differs from older versions. (Issue NMS-13189)

CVE-2020-27223: Jetty DoS vulnerability (Issue NMS-13201)

Minion: Kafka related WARN log messages (AdminClientConfig The configuration X isn’t a known config) (Issue NMS-13208)

Minion SNMPv3 trap configuration query is done every 60 seconds (Issue NMS-13217)

Improve Event forwarding performance for Kafka producer (Issue NMS-13211)

Timezone and Grafana Dashboard fields not preserved when editing a scheduled report (Issue NMS-13064)

No option provided to change the number of records per page in Events ILP and Events/Alarms ILP under Topology (Issue NMS-13137)

The OpenNMS Web User Interface Has Experienced an Error observed when searching for a Event under Event notifications (Issue NMS-13148)

Node’s sub-option 'Availability' exceeds table alignment and overlaps next table of 'Notifications' under Topology section (Issue NMS-13153)

Newts Cache priming flag is inverted (Issue NMS-13156)

Dependabot: Upgrade Apache POI to 3.17 (CVE-2017-12626) (Issue NMS-13161)

add service status to rest /info API (Issue NMS-13135)

create a table to show related events in the alarm detail view (Issue NMS-13170)

Timezone and date range inconsistencies when scheduling database reports associated with Grafana dashboards. (Issue NMS-13070)

Exception messages during node import (log noise) (Issue NMS-13082)

SFlow enhancment is not functional (Issue NMS-13093)

JEXL expression handling updates (Issue NMS-13103)

Optionally silence file not found warnings for JICMP, JRRD when properties are not set (Issue NMS-13081)

When using a custom prefix, the Elasticsearch Forwarder for events and situation-feedback creates a wrong template. (Issue NMS-13030)

Depend on haveged (and supply it in our repo) (Issue NMS-8959)

report timezone changes break reading pre-existing reports from Quartz (Issue NMS-13037)

Timezone inconsistency when generating PDF reports from Grafana dashboards (Issue NMS-12930)

RRD files for SNMP data are not created until a Service Restart (Issue NMS-12974)

Unable to enable Jaeger tracing in Sentinel (Issue NMS-12998)

Update typo in BMP docs (Issue NMS-13002)

CVE-2020-27216: Jetty webserver vulnerability (Issue NMS-13009)

Null pointer exception whe minion receives traps (Issue NMS-13015)

Unable to poll Vcenter CIM - Calling something in OpenJDK11 that has been removed. (Issue NMS-12919)

service starts / restarts work but spit out an error if configured to wait for startup (Issue NMS-12966)

Alarm (v1 & v2) ReST Service PUT Can’t PUT Multiple Things (Issue NMS-12979)

Add custom string attributes based on indirect and complex SNMP Indices (Issue NMS-8484)

Identify message broker strategies in web "about" page (Issue NMS-12971)

HTTP Detector does not accept a response without a reason as valid (Issue NMS-10351)

Slack-compatible notification strategies expect "url" for switch name, should be "-url" (Issue NMS-10552)

opennms.pid missing when started by Systemd (Issue NMS-12769)

Interfaces incorrectly marked as having flows resulting in no data via Helm (Issue NMS-12814)

Response Time Summary database report missing latency caluculation (Issue NMS-12837)

SslContextFactory needs to be changed to SslContextFactory.Server in jetty.xml (Issue NMS-12847)

Wrong startup command for Minion running with Docker and health check issues (Issue NMS-12872)

Install guide RHEL instructions are invalid on RHEL 7 (Issue NMS-12891)

Update collectors chapter (Issue NMS-12682)

Include XML schema for wsman-datacollection-config.xml in assemblies (Issue NMS-12813)

Fix CollectdTest mock’ing errors (Issue NMS-12828)

Fix JMX datacollection config generator test (Issue NMS-12829)

Remove unused import in BsonUtils (Issue NMS-12830)

Update mockito/powermock dependencies (Issue NMS-12831)

Update Minion installation documentation (Issue NMS-12917)

sort custom reports (Issue NMS-12931)

Update Copyright notice for 2020 (Issue NMS-12933)