Fixed vulnerabilities for op5 Monitor and op5 Appliance

29 Dec 2011

We have recently received information about some vulnerabilities in op5 Monitor and op5 Appliance.
These issues were related to our web GUI (ninja), license management and portal logon pages.

  • CVE-2012-0261 1. Remote root command execution (non-authenticated)
  • CVE-2012-0262 2. Remote root command execution (non-authenticated)
  • CVE-2012-0263 3. Credentials leaked in detailed error message (authenticated)
  • CVE-2012-0264 4. poor session management in the web application

These issues are now fixed and available for download.
We recommend all our customers to update to the latest versions as soon as possible.

Fixed versions:

  • system-op5config-2.0.3 (addresses CVE-2012-0262)
    • Available in yum
  • system-portal-1.6.2 (addresses CVE-2012-0261)
    • Available in yum
  • op5 Monitor 5.5.x (addresses CVE-2012-0263, CVE-2012-0264)
    • Available both as tarballs and in yum

We would like to thank Peter Österberg at Ekelöw (http://www.ekelow.se) for finding and reporting these vulnerabilities.

We at op5 take security very seriously and appreciates all security related information from customers, partners and the community and we are constantly working on improving the security in our solutions. We believe that openness is the best way to address security issues.

  • Share This

  • Contact Us

    op5 AB (HQ)
    Norgegatan 2
    164 32 Kista
    Sweden
    Phone: +46 8-58 83 01 00
    Fax: +46 8-23 02 31
    E-mail: info@op5.com
    VAT number: SE 556582913101