Nexpose 5.4 release notes (August 8, 2012)

Document created by mglinski Employee on Aug 6, 2012Last modified by mglinski Employee on Aug 8, 2012
Version 9Show Document
  • View in full screen mode

Rapid72012-08-08 product and content updates
                  Release announcement


This Rapid7® Nexpose® 5.4  release includes new features and improvements for  IPv6 scanning, vulnerability category filtering in reports, Advanced Policy customization, and numerous other enhancements.
These release notes document what's new in this Nexpose release. Your Nexpose installation will automatically download and install content updates. If you have enabled Nexpose to install product updates, it will do so as well. See the fourth FAQ.



Remember to clear your browser cache after applying this  update!

If you have made any changes to your Nexpose license, such as adding new features, restart your Security Console after applying this update.

IPv6 coverage | product

Security coverage now expands to IPv6 environments

You can now scan assets and networks with IPv6 addresses for vulnerabilities and mis-configurations. IPv6 may present another attack vector in your environment that you may not be aware of, so IPv6 coverage can expand your visibility into those threats.

Also, when scanning an IP address, the application now discovers and displays any additional addresses for that asset. For example, you may be aware of an asset's IPv4 address, which you have added to a site configuration. If the asset has any additional IP addresses, such as an IPv6 address that you're not aware of, the application discovers it and displays it along with other detailed information about that asset. This allows you to scan the newly discovered address and extend your visibility into the security and risk in your environment.

This ability to discover additional addresses enriches filtered asset searches: Using the new Other IP address filter, you can find assets with known IPv4 addresses that also have previously undiscovered IPv6 addresses. Or you can find assets with known IPv6 addresses that also have previously undiscovered IPv4 addresses. New fields that are available in CSV export allow you to export this data as well. Finding these assets allows you to track and scan all addresses associated with them for greater breadth of coverage.

Reporting | product & content

Vulnerability category filtering reduces reporting “noise”

When configuring reports, you can now filter vulnerabilities based on vulnerability categories. With this ability, you can produce reports with sharper focus on specific security issues to give your remediation teams the exact information they need to do their jobs and eliminate the "noise" of extraneous vulnerabilities. For example, you can generate reports that only include Adobe vulnerabilities. Or you can also exclude certain categories, such as for a particular application for which you have a patch program in place. When you generate a report, sections with filtered vulnerabilities are marked as such. See the user's guide for all report sections that can display filtered vulnerabilities.


In support of this expanded filtering capability, vulnerability categories have been increased and refined for more granular groupings of vulnerabilities. Scan template configurations also benefit from this improved categorization, so that scans can target more specific security flaws.

The API also supports vulnerability category filtering in reports.

For more information about changes in Nexpose related to this feature, see  Changes to vulnerability categories.

Configuration assessment | product

Policy customization addresses specific compliance needs

You can now create custom policies based on FDCC or USGCB configuration policies that are provided with the application, depending on your license. This allows you to tailor policies to ensure that the unique security requirements in your environment are being adhered to. For example, you can customize a policy for the number of incorrect logon attempts that trigger a lockout by your authentication service. To begin customizing a built-in FDCC or USGCB policy, simply click the Copy icon for that policy. The policy editor in the Web interface features an easy-to-navigate "tree" hierarchy of polices and their constituent groups, sub-groups, and rules. You can also search a policy to easily find the rules that you want to modify.


NOTE: Policy editing is a separately licensable option and requires the Advanced Policy Engine to be enabled. To discuss pricing and upgrade options, contact your account representative.

Scan performance and accuracy  | product

Scan improvements enhance performance and accuracy

  • A new Defeat Rate Limit control, available in the Discovery Performance page of the scan template configuration panel, enforces the Minimum Packets Per Second rate setting when scan targets impose rate limitations. This can enhance scan performance.
  • You can now enable the Web spider to determine if authentication forms accept commonly used user names and passwords. This practice is included in Risk category A3 (Broken Authentication and Session Management) of the OWASP Top 10 Web Application Security Risks for 2010.
  • For most scan templates, the initial timeout interval and packets-per-second rates have been tuned to optimize scan speeds.
  • Authenticated scans of Windows hosts perform more efficiently when high numbers of scan threads are in use.
  • You now have better visibility into scanning results while asset discovery is in progress. Assets are scanned for vulnerabilities and policy compliance as soon as they are discovered.
  • Scan results are now integrated into the database more efficiently. The improvement is especially noticeable with large scan result sets on Security Consoles that do not enable the display of incremental scan results.
  • For scans that are scheduled to repeat, the Security Console verifies that a preceding scan job has completed before starting the next scan job. This ensures that the data from the preceding job is properly integrated into the database. If the preceding job has not completed by the time the next job is scheduled to start, an error message appears in the scan log.
  • A scheduled scan job picks up any changes made to the related scan template before it starts, ensuring that the scan runs with your intended configuration settings.
  • A bug fix ensures that scans do not use ICMP in the asset discovery phase if ICMP, TCP, and UDP asset discovery are disabled in the scan template.
  • When restarting, the Scan Engine now automatically cleans up temporary files that may have been left over from a failed scan. This prevents unnecessary use of disk space.

Security content updates since 5.3

  • We have released checks for more than 1,900 vulnerabilities since the 5.3 release.
  • Coverage improvements since 5.3 include the following:
    • Fingerprinting for Microsoft Visual Basic for Applications (Core) and Visual Basic for Applications software development kit (SDK) has been added.
    • Fingerprinting for Microsoft Groove Server 2010 and Groove Server 2007 has been added.
    • Fingerprinting for Microsoft Office Web Apps 2010 has been added.
  • In total, Nexpose now performs more than 92,000  checks for more than 31,000 vulnerabilities.

Usability | product

A number of improvements make it easier to use the Web interface for better productivity:

  • When an idle session expires, the Security Console displays a logon window. To continue the session, simply log on again. You will not lose any unsaved work, such as configuration changes.
  • A bug fix ensures that you can change which assets are included in a dynamic site by editing the site configuration. In the Assets page of a dynamic site configuration, you can click the Change connections or filters button to change asset membership, and the Security Console loads the appropriate page for this function.
  • Scan Engine names now appear in alphanumeric order in the drop-down list for site configurations. This makes it easier for you to find a Scan Engine to assign to a site.
  • Pages of the Security Console Web interface render in your browser more efficiently, so that you can view and use pages without having to wait for them to display properly.
  • The SANS Top 20 column has been removed from vulnerability tables in the Web interface. The data source for this listing is no longer maintained, so its information is no longer up to date. The SANS Top 20 report template is still available.
  • The Security Console now generates charts more efficiently.
  • Non-administrative users can now locate assets they have permission to view by operating system.
  • When you click the button to refresh Scan Engines, the Security Console explicitly refreshes only the Scan Engines currently displayed in the table. This reduces confusion and makes it clear that to refresh additional Scan Engines, you need to display them first. Also, a bug fix ensures that you can refresh all Scan Engines in a table if the table's display setting is All.

Platforms and browsers | product

  • Support for the Ubuntu 12.04 LTS 64-bit operating system expands your installation options.
  • You can now run Nexpose components on hosts with IPv6 addresses, increasing your deployment options.
  • The application now automatically supports new versions of the Google Chrome browser as they are released. This means that you can use the Security Console Web interface on any new version of Chrome.

Other improvements | product

  • The database has been optimized to reduce disk space consumption on the Security Console host.
  • If your license includes the ability to scan any asset, the Licensing page in the Security Console Web interface now displays the correct number of maximum Scan Engines, maximum assets, and maximum assets that can be scanned with hosted Scan Engines, according to your license.

Changes to vulnerability categories

How are vulnerability categories changing?

Prior to the Nexpose 5.4 release, there were 59 different vulnerability categories that could be used to customize scanning and be displayed in reports.  We are increasing the categories to over 145 unique choices. Some existing categories will be  removed or renamed.  Other categories will retain their names but have changed definitions. A full list of vulnerability categories is available here.

Why is this change happening?

We will be adding more refined reporting capability in 5.4, and this change is required to support this improvement. The categories will be more accurate and provide granular scanning and reporting for improved analysis and remediation.

What if I previously created a custom scan template and selected vulnerabilities “By Category”?

Check to see if the categories you selected have been renamed or removed.

  • If your categories have been renamed: You will need to select the new categories in the template configuration.
  • If your categories have been removed: If they are important to you, please let us know so that we can consider providing continued support in a future release.

How will reports be affected?

Reports that contain vulnerability categories will be affected, and you may see new or renamed categories.

If you have any questions or concerns, please send an e-mail to

Product update IDs

  •   Linux 32                   | Update ID: 3739755199
  •   Linux 64                   | Update ID: 3823314337
  •   Windows 32              | Update ID: 3952838706
  •   Windows 64              | Update ID: 2395429073

Content update IDs

  • Update ID: 3474929631


   Released on August 8, 2012 (see sixth FAQ).                                

md5sum files

Download the appropriate md5sum file to ensure that the installer was not corrupted during download:              

Frequently asked questions (FAQs)

  1. How will I know Nexpose has updated with this specific release?
    All updates are listed on the News page of the Nexpose Security Console Web interface.
  2. Why doesn’t the most recent date on the News page match the dates of the current updates on the Administration page?
    You may occasionally notice that the most recent date on the News page does not match the dates of the current updates listed on the Nexpose Security Console administration page. The dates on the News page are official release dates. The dates on the console page indicate when updates were actually applied to your Nexpose installation.
  3. Does  dynamic self-updating cause Nexpose to restart?
    Yes. You may notice Nexpose taking longer to start for the first time after installation. You may also notice it restarting more than once as it completes a required sequence of updates.
  4. When will Nexpose restart?
    Nexpose will install the updates in the background if  scans are currently running and will restart automatically when the scans complete. If you receive error messages after installing updates, stop or pause any scans and restart Nexpose.
  5. What are content updates, and what are product updates?
    Content updates include new checks for vulnerabilities, patch verification, and compliance with security policies. Product updates include performance improvements, bug fixes, and new features in Nexpose.
  6. Why are installers not updated with every release?
    To help you stay on top of an ever-growing number of security threats, Rapid7 makes the delivery of new security content timely and convenient. After installation and first-time start-up, Nexpose continues to update itself dynamically. This makes it unnecessary for Rapid7 to update installers with every release of security content. So, you don't have to download installers every time new content is available.
  7. How can I obtain more information about this release?
    If you have purchased Nexpose, contact our Technical Support Team at If you are using the Community version of Nexpose, go to
  8. Where can I find announcements for previous releases?
    You can find all release announcements in the Rapid7 Community at nts.


Join the Rapid7 Community!
Learn tips and tricks, engage with your peers,
and keep up with the latest product developments.