Patch Now- OpenNMS Bug Steals Data, Triggers Denial of Service


According to researchers at Synopsys, Cisco, Savannah River Nuclear Solutions, and other companies in the critical infrastructure sectors of CISA trust the monitoring platform. The widely used open source network monitoring program, OpenNMS, has had a high severity vulnerability patched in both the community-supported and subscription-based versions.

Attackers have a technique to steal information from the OpenNMS file server system, make arbitrary HTTP requests to internal and external services, and cause denial-of-service conditions on impacted systems thanks to the XML external entity (XXE) injection vulnerability. The vulnerability was found by Synopsys researchers in June, and they alerted OpenNMS’s maintainers, who last week issued a patch.

Read More…