Opsview is releasing an update to version 5.4 to provide a more robust web user interface, vulnerability fixes and enhanced capabilities.
If you are running any of the Agents or Operating System listed below, please follow the steps documented on the Before upgrading to Opsview 5.4.2 page:
- any of the following Opsview Windows Agent with NSClient++ versions:
- 0.3.9.511 2015-06-22 (hotfix necessary)
- 0.3.9.394 2015-01-28 (hotfix necessary)
- 0.3.9.391 2014-11-05 (hotfix necessary)
- Debian 5 - Lenny (hotfix necessary)
- If your linux OS doesn't support TLSv1.1 or above
This release addresses the issues listed below.
For further information on how to upgrade your system to Opsview Monitor 5.4.2, please read Upgrading From Opsview 5.x.
- The refresh button has been enhanced with extra features to be able to stop, start and configure ther refresh interval.
- NRPE now supports SSL Wildcards in windows agent.
- The host icon is not visible on the Problems page.
- The UI performance when listing hashtags in the Graph Center has been improved.
- New line now in service check outputs in Problems and Hosts/groups/services view.
- Links in notes are now clickable.
- Force installing opspacks no longer wipes security wallet values
- VIEW permissions addressed for BSM
- The Host notes now display correctly in the Problems page.
Thanks to Fernando Díaz and Fernando Catoira from Core Security Consulting Services.
CVE-2018-16148 Cross-Site Scripting in invalid /rest URLs
The 'diagnosticsb2ksy' parameter of the '/rest' endpoint is vulnerable to Cross-Site Scripting.
CVE-2018-16147 Persistent Cross-Site Scripting in Settings endpoint
The 'data' parameter of the '/settings/api/router' endpoint is vulnerable to Cross-Site Scripting.
CVE-2018-16146 Notification abuse leading to remote command execution
Opsview Web Management console provides a functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The 'value' parameter is not properly sanitized, leading to an arbitrary command injection executed on the system with nagios' user privileges.
CVE-2018-16144 Rancid test connection functionality abuse leading to command execution
NetAudit is a section within Network Analyzer that allows the user to automate the backing up of network devices' configuration files to a centralized location. The test connection functionality is vulnerable to command injection due to an improper sanitization of the 'rancid_password' parameter.
CVE-2018-16145 Script modification could allow local privilege escalation
Most of the services in Opsview Monitor VMware Appliance run with nagios privileges and the scripts that run at boot time, impersonate nagios user during its execution. However, the '/etc/init.d/opsview-reporting-module' script invokes the '/opt/opsview/jasper/bin/db_jasper' script before dropping root privileges.
In addition, this release also addresses:
- CVE-2018-13441 / CVE-2018-13458 / CVE-2018-13457 Nagios user - local DOS
Information documented on https://www.exploit-db.com/exploits/45082/
5.4.1 Re-released: January 2018
All 5.4.1 appliance images have been updated in January 2018 to include patches for the 'meltdown' CPU bug
5.4.1 Released: October 2017
With Opsview Monitor 5.4.1, we have introduced the following features and enhancements:
- Improved performance of the Navigator's page call for some systems
- Improved performance of Process Map dashlet status call limits when it contains large number of services or metrics
- Improved performance for Host Edit SNMP interfaces grid containing thousands of interfaces
- Allow downtime to be set at the host group level for all users
- Columns are resizable in All Problems and Audit Log grids
- Double slashes in URLs of images and REST API call in Service Group Organizer are now supported
- Removed conflict between opsview-agent and opsview-perl RPM packages
- Fixed freshness checking issue by reverting change "Performing a recheck will always force it to be done, even if outside of the timeperiod"
- Identify down hosts in Hashtags summary page again
- Remove hard-coded database names from the ODW import process - please see Notes below
- Users of ODW should run the 'cleanup_import' script as the nagios user to ensure data imports run cleanly
To upgrade, see the section upgrading
Released: July, 2017
With Opsview Monitor 5.4.0, we have introduced the following features and enhancements:
- New BSM Monitoring view
- Host Group status data call now up to twice as fast on larger systems
- Host Group tree information now using a separate call, with speed improvements of up to 20 times faster on large systems
- Speed up the matpath calculation in the post-reload process
- Metric Pie Chart Dashlet query now up to 10 times faster on larger systems
- Auto Discovery first page load is now substantially quicker
- Massively improve the ODW imports, up to 100 times faster
- Speed up of Downtime actions by backgrounding the task, up to 10 times faster
- Speed up of Acknowledgement actions by backgrounding the task, up to 45 times faster
- Speed up of Recheck actions by backgrounding the task, up to 10 times faster
- Speed up of Set Service Status actions by backgrounding the task, up to 100 times faster
- Speed up of Set Host Status actions by backgrounding the task up to 2 times faster
- Speed up UI response in Filter Windows when ticking Host Groups with lots of children
- Service desk connector Notification Method configurations now included upon install
- New Amazon SNS notification method
- New Twilio Voice notification method
- New Opspacks added:
- All Problems pages now allows resizing of proportions of certain columns
- Advanced regex searching of host names and service checks in All Problems, Event Viewer, Notifications, Checker and hashtags in Hashtag Summary (SC:16016)
- Reduced call made when opening dashlet configuration windows for Performance Graph and Performance Gauge
- Reorganised Roles edit tabs for clarity, and included object count numbers
- Display number and list of users that a shared notification profile is available to
- Notification profiles now dynamically show number of objects that it applies to, as changes are made
- Problems page now allows filtering by Hashtags
- ODW now includes configuration information about business components to service checks via a bridging table
- The notes icon is now shown in Navigator, Checker and All Problems for all objects that have notes
- New plugin 'check_opsview_mysql_advanced'
- Moved check_file_count into the agent package so it can be used on monitored hosts
- Moved Navigator refresh to the toolbar for consistency with other pages
- All Problems now switches to 1st page when changing number of items
- Include slave ssh lockdown script in the distribution
- Include /opt/opsview/timeseriesrrd/var/data in nightly backups
- Include host/service keywords within email notifications
- Performing a recheck will always force it to be done, even if outside of the timeperiod
- When adding a new Variable to a host, make use of the default value for that Variable correctly
- Fixed SNMP polling considering error output as a failure even though the return code is okay
- Fixed reset_uncommitted being caught by deadlocks when the backup is still running
- Fixed BSM loading issue when system has lots of hosts
- Fixed UTF8 characters being returned from Test Service Check
- Fixed minor dashboard upgrading issue
- Fixed opsview-web port connection to dashboard's database
- Fixed downtime icons consistency
- Fixed NetFlow statistics recovery in the event of an ssh tunnel issue
- Fixed sessions expiring every hour and allow for configurable timeout (SC: 16092, 15880, 15782, 16085)
- Fixed Graph Center not removing old graphs when no data received
- Fixed Graph Center sometimes not showing Configure button
- Fixed Event Viewer leaving grey bars when resetting the view
- Fixed issues arising from a race condition when checking slave nodes
- Fixed data leak where you could get notifications for hosts when the host was not visible in Navigator
- Fixed All Notifications view showing two profile windows
- Fixed minor bug in Graph Center when configuring via BSMs
- Fixed REST API issue where searching by service names excluded host objects
- Fixed various help links in product
- Adverts now switched to new Advert Manager system, meaning you will now see less adverts on the login and reload page
- Fixed next/previous buttons for the pagination of Checker
- Fixed links to documentation for host edit notifications tab
- Fixed check_snmp_fsutil to use -w and -c options, and also check multiple filesystems
- Fixed problem when attempting to kill long running processes
- REST API requests of content type application/x-www-form-urlencoded will now return application/json
- Ubuntu 12 platform support is now deprecated
- BSM services which have no components are no longer displayed in Dashboard or BSM views
- Due to a change in the way service check names are filtered, if you set downtime via the REST API based on service check names only, hosts will also get picked up as well
- You may see warnings for missing user notification variables (eg: EMAIL address missing) due to stricter checks at reload time
To upgrade, see the section upgrading