CVE-2023-40313

17.08.2023, 19:15

A BeanShell interpreter in remote server mode runs in OpenMNS Horizon versions earlier than 32.0.2 and in related Meridian versions which could allow arbitrary remote Java code execution. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	ADJACENT_NETWORK	HIGH	NONE	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
opennms	horizon	𝑥 < 32.0.2
opennms	meridian	𝑥 < 2020.1.38
opennms	meridian	2021.1.0 ≤ 𝑥 < 2021.1.30
opennms	meridian	2022.1.0 ≤ 𝑥 < 2022.1.19
opennms	meridian	2023.1.0 ≤ 𝑥 < 2023.1.6

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
opennms	horizon	29.0.4 ≤ 𝑥 < 32.0.2	ADP
opennms	horizon	𝑥 < 29.0.4	ADP
opennms	meridian	2020.0.0 ≤ 𝑥 ≤ 2020.1.37	ADP
opennms	meridian	2021.0.0 ≤ 𝑥 ≤ 2021.1.29	ADP
opennms	meridian	2022.0.0 ≤ 𝑥 ≤ 2022.1.18	ADP
opennms	meridian	2023.0.0 ≤ 𝑥 ≤ 2023.1.5	ADP

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://docs.opennms.com/horizon/32/releasenotes/changelog.html

https://github.com/OpenNMS/opennms/pull/6368

https://docs.opennms.com/horizon/32/releasenotes/changelog.html

https://github.com/OpenNMS/opennms/pull/6368