Nexpose release March 21, 2012

Document created by mglinski Employee on Mar 19, 2012Last modified by mglinski Employee on Mar 21, 2012
Version 3Show Document
  • View in full screen mode

Rapid72012-03-21 product and content updates
                  Release announcement


This Rapid7® Nexpose® 5.2  release includes new features and improvements for security configuration assessment, reporting, virtualization support, usability, and administration.
These release notes document what's new in this Nexpose release. Your Nexpose installation will automatically download and install content updates. If you have enabled Nexpose to install product updates, it will do so as well. See the third FAQ.


Thanks for choosing Nexpose!

Release  5.2 is the next of many exciting deliveries in 2012 in response to your direct  feedback. It incorporates the full commitment of Rapid7 to delivering a great  product to you, our customer. The release focuses on a number of enhancements  for security configuration assessment, reporting, virtualization security,  usability, and administrative capabilities. In terms of coverage, we released checks  for more than 4900 vulnerabilities since the 5.1 release. We trust that you’ll  find these enhancements useful. Keep an eye out for continued enhancements  throughout 2012, and as always, please keep the feedback coming on how we can  make Nexpose even better.

Eric Reiners
Director of Engineering, Rapid7

Security Configuration Assessment | product

Expanded  security configuration assessment features give you drill-down capabilities

You can use the Policies dashboard in the Web interface to assess security configuration compliance for your entire environment and then drill down to view compliance results for specific security policies and their elements available in the Advanced Policy Engine. This allows you to determine quickly which assets need to be remediated or which rules are presenting specific compliance issues, so that you can gain insight into your overall compliance posture and risk.
NOTE: Your  license must enable the Advanced Policy Engine in order for the Policies dashboard to be visible. To  discuss pricing and upgrade options, please contact Rapid7.

Reporting | product


Create  custom CSV export reports

With expanded report template capabilities, you can now create custom comma-separated-value (CSV) export reports for better remediation. Choose from more than 30 fields to determine the exact, granular vulnerability information that you want to share with stakeholders in your organization. You can manipulate the exported CSV files with pivot tables to produce multiple views of your vulnerability data. You will find this feature in the report template configuration panel in the Web interface.


NOTE: Customizable CSV Export is only available in Nexpose Enterprise Edition and Nexpose Consultant Edition. To upgrade to one of these editions, please contact Rapid7.

As part of CSV report enhancements, the contents of some of the existing columns have been updated to conform to commonly used CSV-escaping practices.

New XML Export includes new attributes

The new  XML Export 2.0 report format includes new attributes that are also available in the extended CSV export, allowing you to export additional critical data for better reporting and remediation of vulnerabilities:

  • PCI compliance status
  • scan data, including the template used, and the scan ID
  • site and asset data, including asset aliases and user-assigned site importance
  • asset and vulnerability risk
  • vulnerability data
  • exploit and malware exposure information

The legacy XML Export and Simple XML formats have been deprecated. After December 31, 2012, Rapid7 will discontinue development and bug fixes for these formats in Nexpose.

For more information see the Report_XML_Export_Schema_2.0, which you can download from the Support page in the Web interface.

Vulnerability filtering makes reports more granular

When adding assets to the scope of a report, you can filter what vulnerabilities you will display for those assets to make the report more granular. For example, you may want to report on only critical vulnerabilities, or you may want to filter out potential vulnerabilities.

Virtualization  security | product

vAsset management expands with more granular searches and API integration

Using the asset search filter functionality, you can now  search for assets based on virtualization metadata. Creating dynamic asset  groups for virtual assets based on specific criteria can be useful for  analyzing different segments of your virtual environment. For example, you may  want to run reports or assess risk for all the virtual assets used by your  accounting department, and they are all supported by a specific resource pool.  New search filters are:

  • vAsset host
  • resource pool
  • power state
  • datacenter
  • cluster

Additionally, you can now configure virtual asset  connections through the API v1.2. For more information, download the API v1.2  guide from the Support page in the  Web interface.

NOTE: vAsset discovery is only available in Nexpose Enterprise Edition and Nexpose Consultant Edition. To upgrade to one of these editions, please contact Rapid7.

Usability | product

Create dynamic asset groups for fingerprinted and non-fingerprinted assets

When performing filtered asset searches based on operating  system, you can use two new  operators (is empty and is not empty) to easily find assets with  and without operating system fingerprints. This allows you to create dynamic  asset groups for fingerprinted and non-fingerprinted assets. These new  operators are also useful for finding assets for which scan authentication may  have failed. For more information, download  the user's guide from the Support page in the Web interface.

Site-specific vulnerability exceptions provide more flexibility

You can now create an exception for all instances of a  vulnerability in a site. Using this scope option, you can exclude all  vulnerabilities that share a site-specific compensating control, such as location  of all assets behind a firewall.

Additionally, when you create any vulnerability exception,  all applicable scope options are now visible, giving you more flexibility when  excluding vulnerabilities from reports or risk score calculations.

New browsers supported

Support for new browsers expands your options for using the  Security Console Web interface:

  • Microsoft Internet Explorer 9
  • Mozilla Firefox 10
  • Google Chrome 16 and 17

After December 31, 2012, Rapid7 will discontinue development and bug fixes in Nexpose for the following browsers:

  • Internet Explorer 7
  • Firefox 3.5 and 3.6

Administration | product

  • You can now specify ticket encryptions for  greater control of Kerberos user authentication.
  • Improvements to logging files make it easier  for you to troubleshoot and debug Security Console and Scan Engine activity:
    • The log file format is more readable.
    • Log files are consolidated into a single  directory.
    • More diagnostic information is included in the  logs that are sent to Technical Support.
    • Unnecessary log messages are reduced.
    • Limits to log file size prevent old log data  from consuming disk space unnecessarily.
    • Log files are consistently archived to their  file size limit.
    • Log messages configured for standard output  display timestamps in the time zone local to the Security Console or Scan  Engine installation.

For information on working with Keberos authentication and log files, download  the administrator's guide from the Support page in the Web interface.

Other improvements and corrected defects | product

  • A Web scanning issue has been resolved so that  scans no longer run for an extremely long time when encountering a service  other than HTTP on port 80.
  • Graphic-rich reports, such as PCI reports, are  generated faster.
  • The drop-down list for Scan Engine send logs now  lists Scan Engines in alphabetical order, making it easier for you to find  which engines to send logs for.
  • An improved detection method reduces potential  false positives for the vulnerability announced in Microsoft Advisory MS10-070.
  • Improved tracking of the backup process provides  you with better alerts for errors that can occur in the process, such as lack  of disk space.
  • A number of improvements in the reporting  framework prevent out-of-memory errors associated with generating and  downloading of large reports.
  • The fingerprinting of services that use H.323  protocol no longer causes some scans to hang.
  • An issue in which the applying of a new license  could disrupt Security Console-to-Scan Engine connections has been corrected.

Update improvements | product

Security Consoles can now receive new built-in policy benchmarks for which they are licensed via content-only updates.

Security content updates since 5.1

  • We have released checks for more than 4900 vulnerabilities since the 5.1 release.
  • Bi-monthly vulnerability check updates now also include: Adobe, Apache, Apple, BIND, CentOS, Cisco devices, IBM AIX, Java  Runtime Environment, Mozilla, OpenSSL, Oracle Linux, PHP, Red Hat Enterprise  Linux, Solaris, and VMware.
  • Since the 5.1 release, new or expanded  vulnerability checks have been created for Microsoft Office products on Mac OS X, Mozilla Thunderbird, and Mozilla  SeaMonkey.
  • Nexpose now performs more than 85,100  checks for more than 27,700 vulnerabilities.

Product update IDs

  • Linux 32 | Update ID: 3036809376
  • Linux 64 | Update ID: 2204996165
  • Windows 32 | Update ID: 212730562
  • Windows 64 | Update ID: 896847687

Content update IDs

  • Update ID: 1723771527


   Released on March 21, 2012.                          

md5sum files

   Download the appropriate md5sum file to ensure that the installer was not corrupted during download:                          

Frequently asked questions (FAQs)

  1. How will I know Nexpose has updated with this specific release?
    All updates are listed on the News page of the Nexpose Security Console Web interface.
  2. Why doesn’t the most recent date on the News page match the dates of the current updates on the Administration page?
    You may occasionally notice that the most recent date on the News page does not match the dates of the current updates listed on the Nexpose Security Console administration page. The dates on the News page are official release dates. The dates on the console page indicate when updates were actually applied to your Nexpose installation.
  3. What are content updates, and what are product updates?
    Content updates include new checks for vulnerabilities, patch verification, and compliance with security policies. Product updates include performance improvements, bug fixes, and new features in Nexpose.
  4. Does this dynamic self-updating cause Nexpose to restart?
    Yes. You may notice Nexpose taking longer to start for the first time after installation. You may also notice it restarting more than once as it completes a required sequence of updates.
  5. How can I obtain more information about this release?
    If you have purchased Nexpose, contact our Technical Support Team at If you are using the Community version of Nexpose, go to
  6. Where can I find announcements for other releases?
    You can find all release announcements in the Rapid7 Community at nts.
Join the Rapid7 Community!
Learn tips and tricks, engage with your peers,
and keep up with the latest product developments.