CVE-2021-3396 – CVE-2021-3396 is an incorrect access control vu... (How to Fix)

Q: How do I fix CVE-2021-3396?

1. Backup configuration and data. 2. Download patched version from OpenNMS website. 3. Stop OpenNMS service. 4. Install update. 5. Restart OpenNMS service. 6. Verify functionality.

Q: What is the severity of CVE-2021-3396?

CVE-2021-3396 has a CVSS score of 8.8 (HIGH). CVE-2021-3396 is an incorrect access control vulnerability in OpenNMS monitoring systems that allows attackers to execute arbitrary code using JEXL expressions. This affects OpenNMS Meridian 2016-2020, Horizon 1.2-27.0.4, and Newts <1.5.3. Both local and remote attackers can exploit this to gain full system control.

📋 TL;DR

CVE-2021-3396 is an incorrect access control vulnerability in OpenNMS monitoring systems that allows attackers to execute arbitrary code using JEXL expressions. This affects OpenNMS Meridian 2016-2020, Horizon 1.2-27.0.4, and Newts <1.5.3. Both local and remote attackers can exploit this to gain full system control.

💻 Affected Systems

Products:

OpenNMS Meridian
OpenNMS Horizon
OpenNMS Newts

Versions: Meridian: 2016, 2017, 2018 before 1.25, 2019 before 1.16, 2020 before 1.5; Horizon: 1.2 through 27.0.4; Newts: <1.5.3

Operating Systems: Linux, Windows, Unix-based systems

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution leading to data theft, service disruption, and lateral movement across the network.

🟠

Likely Case

Unauthorized access to sensitive monitoring data, privilege escalation, and potential deployment of malware or ransomware.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though vulnerability still presents significant risk.

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, this allows privilege escalation and lateral movement within networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Meridian: 2018.1.25, 2019.1.16, 2020.1.5; Horizon: 27.0.5; Newts: 1.5.3

Vendor Advisory: https://www.opennms.com/en/blog/2021-02-16-cve-2021-3396-full-security-disclosure/

Restart Required: Yes

Instructions:

1. Backup configuration and data. 2. Download patched version from OpenNMS website. 3. Stop OpenNMS service. 4. Install update. 5. Restart OpenNMS service. 6. Verify functionality.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict network access to OpenNMS instances to only trusted management networks

iptables -A INPUT -p tcp --dport 8980 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 8980 -j DROP

Service Account Restriction

linux

Run OpenNMS with minimal privileges and restrict file system access

chown -R opennms:opennms /opt/opennms
chmod 750 /opt/opennms

🧯 If You Can't Patch

Immediately isolate affected systems from internet and restrict internal network access
Implement strict network monitoring and alerting for suspicious activity targeting OpenNMS ports

🔍 How to Verify

Check if Vulnerable:

Check OpenNMS version: grep 'opennms.version' /opt/opennms/etc/pom.properties

Check Version:

opennms version

Verify Fix Applied:

Verify version is patched: opennms version | grep -E '2018.1.25|2019.1.16|2020.1.5|27.0.5|1.5.3'

📡 Detection & Monitoring

Log Indicators:

Unusual JEXL expression execution in logs
Unexpected process creation from OpenNMS user
Authentication bypass attempts

Network Indicators:

Unusual outbound connections from OpenNMS server
Exploit traffic on port 8980/TCP
JEXL payloads in HTTP requests

SIEM Query:

source="opennms.log" AND ("JEXL" OR "Expression" OR "exec") AND NOT user="authorized_user"

📊 Metadata

CVE ID: CVE-2021-3396

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: February 17, 2021

Last Updated: November 21, 2024

🔗 References

https://www.opennms.com Vendor Advisory
https://www.opennms.com/en/blog/2021-02-16-cve-2021-3396-full-security-disclosure/ Vendor Advisory
https://www.opennms.com Vendor Advisory
https://www.opennms.com/en/blog/2021-02-16-cve-2021-3396-full-security-disclosure/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Horizon by Opennms

Meridian by Opennms

Meridian by Opennms

Meridian by Opennms

Meridian by Opennms

Meridian by Opennms

Newts by Opennms

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Isolation

Service Account Restriction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export