CVE-2020-12760 : What You Need to Know

An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code execution for any authenticated channel user regardless of its assigned permissions.

Understanding CVE-2020-12760

This CVE relates to a vulnerability in OpenNMS Horizon and Meridian versions that could result in remote code execution.

What is CVE-2020-12760?

The vulnerability in OpenNMS Horizon and Meridian versions allowed for arbitrary deserialization of Java objects in the ActiveMQ channel configuration, enabling remote code execution for authenticated users.

The Impact of CVE-2020-12760

The vulnerability could be exploited by authenticated users to execute remote code, bypassing assigned permissions.

Technical Details of CVE-2020-12760

This section provides more technical insights into the CVE.

Vulnerability Description

The issue in OpenNMS Horizon and Meridian versions allowed for arbitrary deserialization of Java objects in the ActiveMQ channel configuration, leading to remote code execution.

Affected Systems and Versions

OpenNMS Horizon before 26.0.1
OpenNMS Meridian before 2018.1.19 and 2019 before 2019.1.7

Exploitation Mechanism

The vulnerability could be exploited through the ActiveMQ channel configuration, enabling the deserialization of Java objects and subsequent remote code execution.

Mitigation and Prevention

Protect your systems from CVE-2020-12760 with these steps:

Immediate Steps to Take

Update OpenNMS Horizon to version 26.0.1 or later
Update OpenNMS Meridian to versions 2018.1.19, 2019.1.7, or newer
Monitor network traffic for any suspicious activity

Long-Term Security Practices

Implement strict access controls and permissions
Regularly audit and update software dependencies

Patching and Updates

Apply patches and updates provided by OpenNMS to address the vulnerability