Released: 04th September 2018
5.3.1 - Security Update
Opsview is releasing a security update to version 5.3 to provide a more robust web user interface.
For further information on how to upgrade your system to Opsview Monitor 5.3.1, please read Upgrading From Opsview 5.x.
This release addresses the issues listed below.
Thanks to Fernando Díaz and Fernando Catoira from Core Security Consulting Services.
- CVE-2018-16147: Persistent Cross-Site Scripting in Settings endpoint
The 'data' parameter of the '/settings/api/router' endpoint is vulnerable to Cross-Site Scripting.
- CVE-2018-16148: Cross-Site Scripting in invalid /rest URLs
The 'diagnosticsb2ksy' parameter of the '/rest' endpoint is vulnerable to Cross-Site Scripting.
- CVE-2018-16144: Rancid test connection functionality abuse leading to command execution
NetAudit is a section within Network Analyzer that allows the user to automate the backing up of network devices' configuration files to a centralized location. The test connection functionality is vulnerable to command injection due to an improper sanitization of the 'rancid_password' parameter.
- CVE-2018-16145: Script modification could allow local privilege escalation
Most of the services in Opsview Monitor VMware Appliance run with nagios privileges and the scripts that run at boot time, impersonate nagios user during its execution. However, the '/etc/init.d/opsview-reporting-module' script invokes the '/opt/opsview/jasper/bin/db_jasper' script before dropping root privileges.
In addition, this release also addresses:
- CVE-2018-13441 / CVE-2018-13458 / CVE-2018-13457: Nagios user - local DOS
Released: March, 2017
5.3.0 Features and Enhancements
With Opsview Monitor 5.3.0, we have introduced the following features and enhancements:
- Integration with InfluxDB as an alternative time series database
- Various bug fixes and improvements in Dashboard
- Jasper Server now synchronizes language settings with Opsview User configuration
- Changed maximum number of lines drawn in Performance Gauge dashlet to 10, more than 10 makes interpreting the data difficult
- Allow filtering by state type in Problems page (SC: 16720)
- Navigation menu now scrolls, rather than paginates
- Improved Flow Sources History dashlet to use newer graphing technology, with pulsating dots for investigation
- Improved colors in graphs by removing unnecessary opacity
- REST API token will be reused from the browser session and log out will invalid this token
- Improved search bar now always visible
- Re-organized Dashboard Dashlet drawers into Overview, Technical and Network Analyzer
- Add SOFT/HARD state types to Events Viewer filtering options (SC: 14726)
- Added option to use ifName instead of ifDescr for polling of SNMP interfaces for some devices that do not implement ifDescr (SC: 14826)
- Added option to always use getNext instead of getBulk for polling of SNMP interfaces (SC: 17875)
- Increased SNMP timeout to 10 seconds, removed retries and removed fallback to SNMPv1 when testing (SC: 14450, 14452)
- Improved Hashtag detail page when there are a large number of services within a hashtag.
- Introduced pagination in Hashtag Detail Performance View (SC: 19672)
- Added acknowledgement information to Detail REST API
- Improved Network Map for performance and usability
- Dashboard users are now linked based on the Opsview userid, rather than the user name, for better handling of user setting changes
- Added partitioning to 4 largest tables in the Runtime database for increased performance
- Improved Service Desk Connector logging
- opsview_sync_ldap syncing issue (SC: 14797)
- Event viewer audible alerts now available in IE11
- RSS collapsed feed state now saved
- Network Map dashlet now correctly filters by monitoring server
- TLS client certificate authentication for Apache
- import_excel script now encrypts required data correctly
- RANCID test connection now works on Slaves with .profile as well as .bash_profile
- Housekeeping no longer removes +metadata.db; removing this file can prevent timeseries returning results
- Resolved opsview-agent restart race condition, caused intermittent restart failures (SC: 18027)
- Removed System Status Dashlet - these will be automatically removed as part of the upgrade
- Percentage thresholds for performance gauge and process map performance metric objects are now based on the difference between the maximum and minimum values. Previously thresholds were based on maximum only, this means the warning or critical thresholds colors may be shown from your previous definitions. We recommend you review your threshold levels for these two dashlets
- Flow dashlets minimum refresh intervals increased to 1 minute, as this is the interval before more data is stored
To upgrade, see the section upgrading
Updated about a year ago