As reported by Piotr Karolak of Trustwave's SpiderLabs a security vulnerability was identified that has the potential to allow unauthenticated access to the file system of an Opsview Monitor system by issuing a specially crafted HTTP GET request.
Opsview has produced a patch to resolve this vulnerability for all currently supported versions of Opsview Monitor; 4.6.x, 5.0.x and 5.1. We have also produced a patch for systems running Opsview Monitor 4.5.x as it became end of life less than six months ago. This patch has been applied to the latest supported versions of Opsview Monitor in our repositories (4.6.4, 5.0.2 and 5.1) and the EC2 and Virtual Appliance images for Opsview Monitor 5.1. We strongly recommend that you update your system immediately by either upgrading to the latest “point” release or applying the patch for the version of Opsview Monitor that you are using. The instructions for each version of Opsview Monitor are available on the following pages:
Opsview Monitor 5.1: https://knowledge.opsview.com/articles/opsview-monitor-510/21-known-issues.html#security_patch (Fix version: 184.108.40.206300841)
Opsview Monitor 5.0.x: https://knowledge.opsview.com/articles/opsview-monitor-502/2-changelog.html#security_patch (Fix version: 220.127.116.11475)
Opsview 4.6.x: http://docs.opsview.com/doku.php?id=opsview4.6:known_issues#security_patch (Fix version: 18.104.22.168391051)
Opsview 4.5.x: http://docs.opsview.com/doku.php?id=opsview4.5:known_issues#security_patch
Opsview Monitor 4.4.x and below:
We strongly recommend that you upgrade to a supported version of Opsview Monitor as we will not be providing a patch for these older versions. We are conscious that it may take a little while to plan, implement and upgrade, and we would not want any of our customers running a system with a potential vulnerability so we have provided an Apache configuration change that counters this particular vulnerability. The instructions for this can be found here http://docs.opsview.com/doku.php?id=opsview:previous:known_issues#security_patch
Please do not hesitate to contact our Customer Success team (firstname.lastname@example.org) if you have any queries regarding this announcement.