Nexpose Release Notes - November 2013

Document created by rebecca carter Employee on Jan 9, 2014
Version 1Show Document
  • View in full screen mode

To help you protect your environment against ever-evolving security threats Rapid7 releases coverage updates for Nexpose on a weekly basis. This page contains releases for November, 2013:

 

For current coverage releases go to Nexpose Weekly Release Notes.

 

For details about restarting Nexpose after updating and other update information, see Nexpose release FAQ.


This Rapid7® Nexpose® 5.7.20 release contains the following updates:

  • scanning improvements
  • accuracy improvement

 

Weekly vulnerability check update | content

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

  • Adobe
    • AIR
    • ColdFusion
    • Flash
    • Reader
    • Shockwave
  • Apache
    • HTTP
    • Tomcat
  • Apple
    • iTunes
    • Java
    • OS X
    • QuickTime
    • Safari
  • Atlassian JIRA
  • BIND
  • CentOS
  • Cisco devices
  • Debian GNU/Linux
  • Google Chrome
  • IBM AIX
  • Mozilla
    • Firefox
    • SeaMonkey
    • Thunderbird
  • OpenSSH
  • OpenSSL
  • Oracle
    • Database
    • Java Runtime Environment
    • Linux
    • MySQL
    • Solaris
  • PHP
  • Red Hat Enterprise Linux
  • Ubuntu/Linux
  • VideoLAN VLC
  • VMware
    • ESX
    • ESXi

Scanning improvement | product

Better scan performance helps you to retrieve scan results more quickly with improved accuracy and more efficient use of resources:

  • Fingerprinting of assets with exposed HTTP/HTTPS services is now handled more gracefully, resulting in more accurate and timely results.
  • HTTP/HTTPS servers that cannot be fingerprinted are now subject to more thorough investigation, resulting in more accurate identification and vulnerability results.
  • Asset and vulnerability counts now display correctly on the Home page while scans are in progress.

Accuracy improvement | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • False positives have been corrected for the vulnerability check that detects syslog running on TCP port 514. 

End-of-life for 32-bit installations

Rapid7 will end support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. After that date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

Update IDs, installer links,  md5sum links, and virtual appliance links

Product Update IDs

  • Linux 32 | Update ID: 3210680546
  • Linux 64 | Update ID: 2641032546
  • Windows 32 | Update ID:  1981747456
  • Windows 64 | Update ID:  2143412332

Content update ID

  • Update ID: 1455243530

Installer links, md5sum links, and virtual appliance links

  Click here for the latest installer links, md5sum links, and virtual appliance links.         


This Rapid7® Nexpose® 5.7.19 release contains the following update:

  • application improvements
  • coverage improvements

 

These release notes document what's new in this Nexpose release. Your Nexpose installation will automatically download and install content updates. If you have enabled Nexpose to install product updates, it will do so as well. For information about restarting Nexpose after updating, see the Nexpose release announcement FAQ.

 

Coverage improvements | content

New coverage expands your visibility into assets and threats in your network.

  • False positives related to package perl-Compress-Raw-Zlib on Oracle Linux and CentOS have been resolved. 
  • Samba coverage was expanded to include a wider range of vulnerability checks and improvements to existing checks.

 

Weekly vulnerability check update | content

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

  • Adobe
    • AIR
    • ColdFusion
    • Flash
    • Reader
    • Shockwave
  • Apache
    • HTTP
    • Tomcat
  • Apple
    • iTunes
    • Java
    • OS X
    • QuickTime
    • Safari
  • Atlassian JIRA
  • BIND
  • CentOS
  • Cisco devices
  • Debian GNU/Linux
  • Google Chrome
  • IBM AIX
  • Mozilla
    • Firefox
    • SeaMonkey
    • Thunderbird
  • OpenSSH
  • OpenSSL
  • Oracle
    • Database
    • Java Runtime Environment
    • Linux
    • MySQL
    • Solaris
  • PHP
  • Red Hat Enterprise Linux
  • Ubuntu/Linux
  • VideoLAN VLC
  • VMware
    • ESX
    • ESXi

Application improvements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • With the new PCI ASV 2.0 Risk strategy, you can assign a PCI Data Security Standard (DSS) score to every discovered vulnerability. Using this strategy allows you to assess risk from a PCI perspective. Also, the 5-point scale (1 = lowest severity, 5 = highest severity) provides a simple way to view and sort the risk of different vulnerabilities.
  • An issue that caused support logs to not properly upload to Rapid7 support was corrected.
  • A rare issue that could have caused some scan targets in a site to not be saved was corrected.
  • Scan histories now load faster for sites with large scan counts.

End-of-life for 32-bit installations

Rapid7 will end support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. After that date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

Product Update IDs

  • Linux 32 | Update ID: 2512955625
  • Linux 64 | Update ID: 2382524771
  • Windows 32 | Update ID:  934359800
  • Windows 64 | Update ID:  1597812188

Content update ID

    • Update ID: 3093944329

Installer links, md5sum links, and virtual appliance links

  Click here for the latest installer links, md5sum links, and virtual appliance links.         


 

This Rapid7® Nexpose® 5.7.18 release contains the following update:

  • application improvements
  • scanning improvement
  • accuracy improvements
  • coverage improvements
  • November 2013 Patch Tuesday checks

 

These release notes document what's new in this Nexpose release. Your Nexpose installation will automatically download and install content updates. If you have enabled Nexpose to install product updates, it will do so as well. For information about restarting Nexpose after updating, see the Nexpose release announcement FAQ.

 

Coverage improvement | content

New coverage expands your visibility into assets and threats in

  • Coverage has been added for Debian 7.x (wheezy).
  • Improved fingerprinting better identifies Java vulnerabilities on Windows assets.

Application improvement | content

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • Remediation methods for Microsoft Security Bulletin MS13-054 have been improved.
  • A vulnerability related to HTTP cookies is no longer incorrectly labeled as a cross-site scripting (XSS) vulnerability.

 

November 2013 Patch Tuesday checks | content

New vulnerability checks provide up-to-date Microsoft Patch Tuesday scan coverage for November 2013. For information about all current security bulletins covered in this release, see the Microsoft Security Bulletin Summary for November 2013. Use the checks in this update to verify that the latest Microsoft patches have been applied to system assets.

These checks help you determine where new risks are located in your environment, allowing you to prioritize what needs to be remediated and help minimize risk.

Weekly vulnerability check update | content

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

  • Adobe
    • AIR
    • ColdFusion
    • Flash
    • Reader
    • Shockwave
  • Apache
    • HTTP
    • Tomcat
  • Apple
    • iTunes
    • Java
    • OS X
    • QuickTime
    • Safari
  • Atlassian JIRA
  • BIND
  • CentOS
  • Cisco devices
  • Debian GNU/Linux
  • Google Chrome
  • IBM AIX
  • Mozilla
    • Firefox
    • SeaMonkey
    • Thunderbird
  • OpenSSH
  • OpenSSL
  • Oracle
    • Database
    • Java Runtime Environment
    • Linux
    • MySQL
    • Solaris
  • PHP
  • Red Hat Enterprise Linux
  • Ubuntu/Linux
  • VideoLAN VLC
  • VMware
    • ESX
    • ESXi

Scanning improvement | product

Scans now properly fingerprint SSL/TLS services that utilize the MD2 algorithm anywhere in the certificate validation process. Among other benefits, this can help address potential false positives and false negatives in certificate chain validation. Note that for validation to occur, the Certificate Authority in question must be trusted, and that regardless of whether or not the certificate is trusted, MD2 cannot be used anywhere if FIPS is enabled.

  • Fingerprinting of Oracle Java on non-Windows platforms has been corrected. As a result, Oracle Java vulnerability checks now function properly for assets running non-Windows operating systems.

Application improvement | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • Stop wasting your precious time patching vulnerabilities that may not be exploitable. Leverage the Metasploit penetration testing framework to confirm vulnerabilities discovered in scans. By exploiting vulnerabilities and then reporting that they have been validated, you can prioritize security flaws known to be exploitable. This helps your team allocate remediation resources where they are most needed to keep your organization secure.
  • A series of exciting updates to the Web interface continues with an overhaul of the Assets page. Now, just click the Assets tab and see all of your discovered assets in a single place. Find key assets that are grouped and sorted according operating systems, software, or services installed on them. Navigate quickly to find the assets that are most important to your security objectives. 

End-of-life for 32-bit installations

Rapid7 will end support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. After that date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

Product Update IDs

  • Linux 32 | Update ID: 1708347829
  • Linux 64 | Update ID: 3459324873
  • Windows 32 | Update ID:  2048262182
  • Windows 64 | Update ID:  2469147295

Content update ID

  • Update ID: 1253808884

Installer links, md5sum links, and virtual appliance links

  Click here for the latest installer links, md5sum links, and virtual appliance links.         

Download the Virtual Appliance Deployment Guide.


 

This Rapid7® Nexpose® 5.7.17 release contains the following update:

  • application improvements
  • scanning improvement
  • accuracy improvements

 

These release notes document what's new in this Nexpose release. Your Nexpose installation will automatically download and install content updates. If you have enabled Nexpose to install product updates, it will do so as well. For information about restarting Nexpose after updating, see the Nexpose release announcement FAQ.

 

Coverage improvement | content

New coverage expands your visibility into assets and threats in

  • The coverage for Debian security advisories affecting multiple-source packages was improved.
  • False positives have been corrected for IP source routing enabled on Windows Vista / Server 2008 and newer versions of Windows.
  • False positives have been corrected in several checks related to the Apache HTTPD Server on CentOS 6.

Scanning improvement | content

Better scan performance helps you to retrieve scan results more quickly with improved accuracy and more efficient use of resources:

  • The Web Audit scan template has been updated with vulnerability checks for Adobe ColdFusion, Apache Struts, and Tomcat to deliver more comprehensive results.

 

Weekly vulnerability check update | content

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

  • Adobe
    • AIR
    • ColdFusion
    • Flash
    • Reader
    • Shockwave
  • Apache
    • HTTP
    • Tomcat
  • Apple
    • iTunes
    • Java
    • OS X
    • QuickTime
    • Safari
  • Atlassian JIRA
  • BIND
  • CentOS
  • Cisco devices
  • Debian GNU/Linux
  • Google Chrome
  • IBM AIX
  • Mozilla
    • Firefox
    • SeaMonkey
    • Thunderbird
  • OpenSSH
  • OpenSSL
  • Oracle
    • Database
    • Java Runtime Environment
    • Linux
    • MySQL
    • Solaris
  • PHP
  • Red Hat Enterprise Linux
  • Ubuntu/Linux
  • VideoLAN VLC
  • VMware
    • ESX
    • ESXi

Accuracy improvement | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • False positives have been corrected for the vulnerability check that detects syslog running on TCP port 514. 

Application improvement | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • An issue that blocked Global Administrators from logging onto the Security Console in Maintenance Mode was corrected.
  • An issue that prevented users from changing their passwords was corrected. 
  • The Security Console now optimally stores newly generated reports so that you are able to retain more historical reports using the same amount of disk space. 
  • The Java Runtime Environment was updated to remediate known Java security vulnerabilities. 

End-of-life for 32-bit installations

Rapid7 will end support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. After that date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

Product Update IDs

  • Linux 32 | Update ID: 2295431307
  • Linux 64 | Update ID: 2544984290
  • Windows 32 | Update ID:  379161151
  • Windows 64 | Update ID:  1740453670

Content update ID

    • Update ID: 1311540814

Installer links, md5sum links, and virtual appliance links

  Click here for the latest installer links, md5sum links, and virtual appliance links.         


Attachments

    Outcomes