Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Security issue disclosures, 31 Jan 2020

Description

Multiple security issues reported via e-mail by Johannes Moritz (RIPS Technologies), who would like to be credited in release notes.

jmoritz and dbrinkrolf are the usernames for e-mail contact. Both are at ripstech.com.

 

Hi,

We found several security issues in OpenNMS with our static code analysis engine RIPS.

The severity of the found issues is from low to critical:

  • 3 Open Redirect vulnerabilities (low)

  • 9 Reflected Cross-Site Scripting issues (medium)

  • 1 HQL Injection (critical)

We have verified the issues with OpenNMS 25.1.2 (openjdk version "11.0.5" and xubuntu 18.04).

You will find the details in the attached markdown file.

I would be happy if you could credit me in the release notes or in the CVE details with "Johannes Moritz (RIPS Technologies)".

If you have further questions, don't hesitate to contact my colleague (in CC).

Best regards,

Johannes Moritz

 

Referenced markdown file follows.

[RIPS] found 3 Open Redirect issues in the following files of OpenNMS 25.1.2:

The first issue can be exploited via the GET parameter `redirect` by accessing the following URL:

`http://192.168.56.102:8980/opennms/alarm/acknowledge?redirect=http://google.com&actionCode=unack&alarm=1`

The second issue can be exploited via the GET parameter `redirect` by accessing the following URL:
`192.168.56.102:8980/opennms/notification/acknowledge?redirect=http://google.com&notices=1`

The third issue can be exploited via the GET parameter `redirect` by accessing the following URL:
`http://192.168.56.102:8980/opennms/alarm/acknowledgeByFilter?redirect=http://google.com&actionCode=unack`

For more information about fixing an OpenRedirect see:

https://owasp.org/www-project-cheat-sheets/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

 ##Reflected Cross-Site Scripting

We found 9 reflected XSS issues in the following files of OpenNMS 25.1.2:

###1. load-assets.jsp

There are 2 reflected XSS issues in the file `load-assets.jsp`
Both issues can be triggered without authentication.

###2. resultsIndexNoCount.jsp

There are 3 XSS issues in the file `resultsIndexNoCount.jsp`. These issues require the victim to be authenticated.

###3. resultsIndex.jsp

There are 3 XSS issues in the file `resultsIndex.jsp`. These issues require the victim to be authenticated.

###4. notification-box.jsp

Information about fixing XSS issues can be found here:

https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

##HQL Injection
There is a HQL Injection in the NodeListController endpoint of OpenNMS. The HQL injection requires privileges of the role "ROLE_USER" (low privilege user).
The GET parameters `snmpParmValue` and `snmpParm` are concatenated into a HQL query in the function `org.opennms.web.svclayer.support.addCriteriaForSnmpParm`.
The concatenation of user input into a database query is insecure since malicious HQL commands can be injected and arbitrary data can be read from the database.
The following Listing shows the vulnerable function.
```java
private static void addCriteriaForSnmpParm(OnmsCriteria criteria,
String snmpParm, String snmpParmValue, String snmpParmMatchType) {
criteria.createAlias("node.ipInterfaces", "ipInterface");
criteria.add(Restrictions.ne("ipInterface.isManaged", "D"));
criteria.createAlias("node.snmpInterfaces", "snmpInterface");
criteria.add(Restrictions.ne("snmpInterface.collect", "D"));
if(snmpParmMatchType.equals("contains"))

{ criteria.add(Restrictions.ilike("snmpInterface.".concat(snmpParm), snmpParmValue, MatchMode.ANYWHERE)); }

else if(snmpParmMatchType.equals("equals")) {
snmpParmValue = snmpParmValue.toLowerCase();
criteria.add(Restrictions.sqlRestriction("

{alias}

.nodeid in (select nodeid from snmpinterface where snmpcollect != 'D' and lower(snmp" + snmpParm + ") = '" + snmpParmValue + "')"));
}
}
```
When accessing the following URL we can execute the `PostgreSQL` function `pg_sleep`:
`http://192.168.56.102:8980/opennms/element/nodeList.htm?snmpParm=collect&snmpParmValue=ab%27+and+%24%24%3D%27%24%24%3Dchr(61)||chr(39)and(select+pg_sleep(6))%3A%3Atext%3Dchr(39))+--&snmpParmMatchType=equals&listInterfaces=true`

For more information see:

https://owasp.org/www-community/Hibernate

Acceptance / Success Criteria

None

Attachments

1
100% Done
Loading...

depends on

Lucidchart Diagrams

Activity

Show:

Jeff Jancula January 18, 2022 at 7:39 PM

changed security-high label to match CVE

Patrick Schweizer April 6, 2020 at 12:27 AM

All subtasks are resolved => closing this ticket

Markus von Rüden February 24, 2020 at 11:35 PM

PR for HQL-Injection issue (backport foundation): https://github.com/OpenNMS/opennms/pull/2891

Markus von Rüden February 17, 2020 at 2:49 PM

Fixed

Details

Assignee

Reporter

Labels

Components

Sprint

Fix versions

Affects versions

Priority

PagerDuty

Created February 3, 2020 at 4:14 PM
Updated January 18, 2022 at 7:39 PM
Resolved April 6, 2020 at 12:27 AM