CVE-2023-0871: 
Java vulnerability analysis and mitigation

The vulnerability (CVE-2023-0871) is an XML external entity (XXE) injection vulnerability affecting OpenNMS Horizon and Meridian network monitoring platforms. The vulnerability was discovered in June 2023 and affects OpenNMS Horizon versions 31.0.8 and prior to 32.0.2, as well as the subscription-based Meridian version (Dark Reading).

The vulnerability stems from a permissive XML parser configuration that makes the parser prone to XML external entity attacks. The XXE injection vulnerability leverages the default credentials for the Realtime Console (RTC) REST API and can be exploited by modifying trusted XML data during processing. The vulnerability is classified as CWE-611 (NVD CNA Status).

If exploited, the vulnerability allows attackers to exfiltrate data from the OpenNMS file server system, send arbitrary HTTP requests to internal and external services, and trigger denial-of-service conditions on affected systems. The platform is used by major organizations including Cisco, GigaComm, and Savannah River Nuclear Solutions, as well as others in CISA's Critical Infrastructure Sectors (Dark Reading).

The maintainers released patches for both versions of the software. Users are advised to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38, or Horizon 32.0.2 or newer. Organizations are reminded not to make OpenNMS directly accessible over the Internet and to ensure that it is installed and used only within their internal networks (Dark Reading).