Nexpose release announcements - April 2014

Document created by S Tempest Employee on May 6, 2014Last modified by mglinski on Jun 3, 2014
Version 4Show Document
  • View in full screen mode

To help you protect your environment against ever-evolving security threats Rapid7 releases coverage updates for Nexpose on a weekly basis. This page contains archived announcements for earlier Nexpose releases:

 

For March releases go to Nexpose Release Notes - March 2014.

 

For details about restarting Nexpose after updating and other update information, see Nexpose release FAQ.



 

This Rapid7® Nexpose® 5.9.7 release contains the following updates:                                        

  • application improvements

Application improvements | product

 

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • You can now add multiple types of tags to an asset at the same time.
  • You can now include fields for the tag attributes Asset Criticality, Asset Location, Asset Owner,  or Custom Tag when creating a CSV Export report. This enables team members who do not have access to Nexpose to see Real Context for these nodes.
  • You can now apply tags to an asset from a node page if the node is correlated to an existing asset and if you want to add the tag while viewing the node.
  • You can now click directly from the Node page to the Asset page to which a node is correlated, for simpler navigation.
  • Reports involving large numbers of assets and scans now generate faster.
  • An issue that prevented Executive Overview reports from being generated when the setting Show trends for the 5 highest-risk assets in the report scope was selected has been resolved.

 

Weekly vulnerability check update | content

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

  • Adobe
    • AIR
    • ColdFusion
    • Flash
    • Reader
    • Shockwave
  • Apache
    • HTTP
    • Tomcat
  • Apple
    • iTunes
    • Java
    • OS X
    • QuickTime
    • Safari
  • Atlassian JIRA
  • BIND
  • CentOS
  • Cisco
    • ASA
    • IOS
    • PIX
  • Debian GNU/Linux
  • Google Chrome
  • IBM AIX
  • Joomla!
  • jQuery
  • Mozilla
    • Firefox
    • SeaMonkey
    • Thunderbird
  • OpenSSH
  • OpenSSL
  • Oracle
    • Database
    • Java Runtime Environment
    • Linux
    • MySQL
    • Solaris
  • PHP
  • PostgreSQL
  • Samba
  • SUSE
  • Red Hat Enterprise Linux
  • Ubuntu/Linux
  • VideoLAN VLC
  • VMware
    • ESX
    • ESXi
    • Fusion
    • Player
    • Workstation

End-of-life

32-bit installations

    • Rapid7 will end support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. After that date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

browser support

  • Rapid7 has ended support for Firefox Extended Support Release (ESR) 17.x in alignment with Mozilla's Extended support policy.
  • Rapid7 will end support for Internet Explorer 8 on April 8, 2014 in alignment with Windows XP end of support.

 

Product Update IDs

 

  • Linux 32 | Update ID:  2164584068
  • Linux 64 | Update ID: 1815114566
  • Windows 32 | Update ID: 4097863601
  • Windows 64 | Update ID: 1986299866

 

Content update ID

 

  • Update ID: 1035116163

 

Installer links, md5sum links, and virtual appliance links

 

Click here for the latest installer links, md5sum links, and virtual appliance links.

 

 


 

This Rapid7® Nexpose® 5.9.6 release contains the following updates:                          

  • application improvements
  • accuracy improvements
  • coverage improvements
  • scanning improvements

 

Coverage improvements | product

 

New coverage expands your visibility into assets and threats in your environment:

  • Leveraging Dynamic Discovery, you can keep your Amazon Web Services (AWS) secure by scanning dynamic sites that always contain the most current assets in a fluid, cloud-based environment.
    To begin discovering AWS instances in your environment, click the Dynamic Discovery icon (binoculars) and set up your AWS discovery connection. For more information about using this feature, search for dynamic discovery or AWS in Help.

https://system.netsuite.com/core/media/media.nl?id=1334003&c=663271&h=69e5389e8b04befbcdc5

  • Coverage was added for Cisco SAN-OS devices.
  • You can now perform policy and vulnerability scans using Windows Remote Management with PowerShell. PowerShell support is essential to some policy checks in SCAP 1.2, and more efficiently returns data for some other checks.

 

Application improvements | product

 

New coverage expands your visibility into assets and threats in your environment:

  • An issue that caused the Vulnerability Trends report to improperly calculate site and asset group membership data for charts has been fixed.
  • An issue that prevented scan integration from completing successfully was fixed.

 

Accuracy improvements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • Cisco SAN-OS devices are now more accurately fingerprinted, resulting in better scan results.
  • Checks for the OpenSSL CVE-2014-0160 (Heartbleed) vulnerability now work properly on assets running Hewlett-Packard iLO..
  • Fingerprinting over SSH, HTTP, and HTTPS was improved for Hewlett-Packard iLO.

 

Scanning improvement | content

Better scan performance helps you to retrieve scan results more quickly with improved accuracy and more efficient use of resources:

  • AIX policy scans no longer attempt to find files and permissions of resources located on NFS mounts, resulting in enhanced scanning performance.
  • SSH now works on scan targets that only support diffie-hellman-group14-sha1.
  • An issue that occasionally caused SSH client authentication to fail with the correct credentials was resolved.

Weekly vulnerability check update | content

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

  • Adobe
    • AIR
    • ColdFusion
    • Flash
    • Reader
    • Shockwave
  • Apache
    • HTTP
    • Tomcat
  • Apple
    • iTunes
    • Java
    • OS X
    • QuickTime
    • Safari
  • Atlassian JIRA
  • BIND
  • CentOS
  • Cisco
    • ASA
    • IOS
    • PIX
  • Debian GNU/Linux
  • Google Chrome
  • IBM AIX
  • Joomla!
  • jQuery
  • Mozilla
    • Firefox
    • SeaMonkey
    • Thunderbird
  • OpenSSH
  • OpenSSL
  • Oracle
    • Database
    • Java Runtime Environment
    • Linux
    • MySQL
    • Solaris
  • PHP
  • PostgreSQL
  • Samba
  • SUSE
  • Red Hat Enterprise Linux
  • Ubuntu/Linux
  • VideoLAN VLC
  • VMware
    • ESX
    • ESXi
    • Fusion
    • Player
    • Workstation

End-of-life

32-bit installations

  • Rapid7 will end support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. After that date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

Browser support

  • Rapid7 has ended support for Firefox Extended Support Release (ESR) 17.x in alignment with Mozilla's Extended support policy.
  • Rapid7 will end support for Internet Explorer 8 on April 8, 2014 in alignment with Windows XP end of support.

 

Product Update IDs

  • Linux 32 | Update ID:  2740609944
  • Linux 64 | Update ID: 479802778 
  • Windows 32 | Update ID: 138356348
  • Windows 64 | Update ID: 3157275304

Content update ID

  • Update ID: 169730983

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.


 

This Rapid7® Nexpose® 5.9.5 release contains the following updates:              

  • application improvements
  • accuracy improvements

Application improvements | product

 

New coverage expands your visibility into assets and threats in your environment:

  • An issue that prevented the use of permission elevation on Linux targets without “command” tool installed has been fixed.
  • An issue that prevented database warehouse export was resolved.
  • An issue that prevented reports from generating with customized time zones not provided in the UI was resolved.
  • An issue that prevented the Assets by Policy table from loading in the Assets page was fixed.
  • The unused spider request delay parameter was removed from the Wed Spidering scan template.

 

Accuracy improvements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • Unauthenticated checks for the OpenSSL Heartbeat Extension vulnerability (CVE-2014-0160, known as the Heartbleed bug) were improved for better accuracy in certain situations.

Weekly vulnerability check update | content

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

  • Adobe
    • AIR
    • ColdFusion
    • Flash
    • Reader
    • Shockwave
  • Apache
    • HTTP
    • Tomcat
  • Apple
    • iTunes
    • Java
    • OS X
    • QuickTime
    • Safari
  • Atlassian JIRA
  • BIND
  • CentOS
  • Cisco
    • ASA
    • IOS
    • PIX
  • Debian GNU/Linux
  • Google Chrome
  • IBM AIX
  • Joomla!
  • jQuery
  • Mozilla
    • Firefox
    • SeaMonkey
    • Thunderbird
  • OpenSSH
  • OpenSSL
  • Oracle
    • Database
    • Java Runtime Environment
    • Linux
    • MySQL
    • Solaris
  • PHP
  • PostgreSQL
  • Samba
  • SUSE
  • Red Hat Enterprise Linux
  • Ubuntu/Linux
  • VideoLAN VLC
  • VMware
    • ESX
    • ESXi
    • Fusion
    • Player
    • Workstation

 

End-of-life announcements


For 32-bit installations

  • Rapid7 will end support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. After that date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

For browser support:

  • Rapid7 has ended support for Firefox Extended Support Release (ESR) 17.x in alignment with Mozilla's Extended support policy.
  • Rapid7 ended support for Internet Explorer 8 on April 8, 2014 in alignment with Windows XP end of support.

 

Product Update IDs

  • Linux 32 | Update ID:  3235912242
  • Linux 64 | Update ID: 2908439481 
  • Windows 32 | Update ID: 3526784871
  • Windows 64 | Update ID: 2931421979

Content update ID

  • Update ID: 3920464280

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.


 

This Rapid7® Nexpose® 5.9.4 release contains the following updates:

 

Accuracy improvements | product & content

  • Unauthenticated checks for the OpenSSL Heartbeat Extension vulnerability (CVE-2014-0160, also known as the Heartbleed bug) were improved for better accuracy in certain situations.
  • An issue that prevented fingerprinting of certain protocols via SSL has been corrected.

 

NOTE: You MUST apply the 5.9.4 product update to run the improved Heartbleed checks.

 

For more information about the Heartbleed vulnerability and how to deal with it, see the following pages:

 

Product Update IDs

  • Linux 32 | Update ID: 2861496430
  • Linux 64 | Update ID: 1352660169
  • Windows 32 | Update ID: 914490033
  • Windows 64 | Update ID: 3681971502

 

Content update ID

  • Update ID: 712726987

 

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.

 

End-of-life announcements


For 32-bit installations:

  • Rapid7 will end support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. After that date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

For browser support:

  • Rapid7 has ended support for Firefox Extended Support Release (ESR) 17.x in alignment with Mozilla's Extended support policy.
  • Rapid7 ended support for Internet Explorer 8 on April 8, 2014 in alignment with Windows XP end of support.

 


 

This Rapid7® Nexpose® 5.9.3 release contains the following updates:

Our initial release of Heartbleed vulnerability checks provided you with full coverage for this issue. We have also gone back and enhanced that coverage to remove a few systems that we know are not impacted, and we have updated the scoring to ensure Heartbleed bugs are prioritized appropriately. Our coverage of the Heartbleed bug vulnerability (CVE-2014-0160) now includes:

  • enhanced unauthenticated checks to cover a wider variety of protocols
  • modified unauthenticated checks to identify IIS targets and ignore them
  • enhanced authenticated checks for the Red Hat Enterprise Linux platform
  • updated Common Vulnerability Scoring System (CVSS) vectors for Heartbleed-related checks

 

In addition to the above changes for Heartbleed, we have taken the opportunity to update all of our recurring vulnerability and patch checks to the most current coverage.

 

NOTE: You MUST apply the 5.9.3 product update to run the improved Heartbleed checks.

 

Vulnerability check update | content

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

  • Adobe
    • AIR
    • ColdFusion
    • Flash
    • Reader
    • Shockwave
  • Apache
    • HTTP
    • Tomcat
  • Apple
    • iTunes
    • Java
    • OS X
    • QuickTime
    • Safari
  • Atlassian JIRA
  • BIND
  • CentOS
  • Cisco
    • ASA
    • IOS
    • PIX
  • Debian GNU/Linux
  • Google Chrome
  • IBM AIX
  • Joomla!
  • jQuery
  • Mozilla
    • Firefox
    • SeaMonkey
    • Thunderbird
  • OpenSSH
  • OpenSSL
  • Oracle
    • Database
    • Java Runtime Environment
    • Linux
    • MySQL
    • Solaris
  • PHP
  • PostgreSQL
  • Samba
  • SUSE
  • Red Hat Enterprise Linux
  • Ubuntu/Linux
  • VideoLAN VLC
  • VMware
    • ESX
    • ESXi
    • Fusion
    • Player
    • Workstation

 

Product Update IDs

 

  • Linux 32 | Update ID: 3918762712
  • Linux 64 | Update ID: 1994166225
  • Windows 32 | Update ID: 2447465357
  • Windows 64 | Update ID: 2276669278

 

Content update ID

 

  • Update ID: 1959170544

 

Installer links, md5sum links, and virtual appliance links

 

Click here for the latest installer links, md5sum links, and virtual appliance links.

 

End-of-life


32-bit installations

  • Rapid7 will end support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. After that date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

For browser support:

  • Rapid7 has ended support for Firefox Extended Support Release (ESR) 17.x in alignment with Mozilla's Extended support policy.
  • Rapid7 will end support for Internet Explorer 8 on April 8, 2014 in alignment with Windows XP end of support.

 


 

This Rapid7® Nexpose® 5.9.2 release contains the following updates:

  • April 2014 Patch Tuesday checks
  • coverage improvement

April 2014 Patch Tuesday checks | content

New vulnerability checks provide up-to-date Microsoft Patch Tuesday scan coverage for April 2014. For information about all current security bulletins covered in this release, see the Microsoft Security Bulletin Summary for April 2014. Use the checks in this update to verify that the latest Microsoft patches have been applied to system assets.

These checks help you determine where new risks are located in your environment, allowing you to prioritize what needs to be remediated and help minimize risk.

Coverage improvements | product & content

New coverage expands your visibility into assets and threats in your environment:

  • Coverage was added for the OpenSSL Heartbleed bug (CVE-2014-0160).

Weekly vulnerability check update | content

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

  • Adobe
    • AIR
    • ColdFusion
    • Flash
    • Reader
    • Shockwave
  • Apache
    • HTTP
    • Tomcat
  • Apple
    • iTunes
    • Java
    • OS X
    • QuickTime
    • Safari
  • Atlassian JIRA
  • BIND
  • CentOS
  • Cisco
    • ASA
    • IOS
    • PIX
  • Debian GNU/Linux
  • Google Chrome
  • IBM AIX
  • Joomla!
  • jQuery
  • Mozilla
    • Firefox
    • SeaMonkey
    • Thunderbird
  • OpenSSH
  • OpenSSL
  • Oracle
    • Database
    • Java Runtime Environment
    • Linux
    • MySQL
    • Solaris
  • PHP
  • PostgreSQL
  • Samba
  • SUSE
  • Red Hat Enterprise Linux
  • Ubuntu/Linux
  • VideoLAN VLC
  • VMware
    • ESX
    • ESXi
    • Fusion
    • Player
    • Workstation

End-of-life

32-bit installations

  • Rapid7 will end support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. After that date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

For browser support:

  • Rapid7 has ended support for Firefox Extended Support Release (ESR) 17.x in alignment with Mozilla's Extended support policy.
  • Rapid7 will end support for Internet Explorer 8 on April 8, 2014 in alignment with Windows XP end of support.

Product Update IDs

  • Linux 32 | Update ID: 1969672182
  • Linux 64 | Update ID: 1940606904
  • Windows 32 | Update ID: 418567212
  • Windows 64 | Update ID: 2197900353

Content update ID

  • Update ID: 3736970303

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.


 

This Rapid7® Nexpose® 5.9.1 release contains the following updates:

  • application improvements
  • accuracy improvements
  • coverage improvements
  • scanning improvements

Application improvements | product

 

New coverage expands your visibility into assets and threats in your environment:

  • A cross-site scripting vulnerability was resolved in the Software Information page of the Web interface.
  • The default scan template is now set to Full Audit without Web Spider, resulting in faster initial scans and less potential to mistakenly run the longer audit with Web spidering.
  • The Operating System Information pages now display more details, making it easier to view, sort, and manage your assets by their OS.
  • You can now export data to CSV from the Assets by Software table on the Assets page. The table has also been optimized to load faster.
  • The Asset Details page now displays the exact time an asset completed scanning, making it easier for you to monitor your scan times and prioritize which assets are due to be scanned again.
  • The Node Details table now shows the exact time a node was scanned.
  • If an operating system is not fully fingerprinted, the Assets by Operating Systems table now display any information that was collected in the fingerprinting process, making it easier for you to organize your assets by operating systems.
  • You can now delete obsolete assets from the Assets page, provided you have permission to do so. This will help you to clean up clutter in your UI and focus on the assets that you want to monitor.

 

Accuracy improvements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • Cisco NX-OS switches are now fingerprinted based on model series, resulting in more accurate scan results.
  • An issue that could cause Cisco IOS 15.x CIS policy scans to not run was corrected.

 

Coverage improvements | product & content

 

New coverage expands your visibility into assets and threats in your environment:

  • A new Defense Information Systems Agency (DISA) policy provides compliance coverage for the Microsoft Windows 2008 R2 operating system.
  • New Center for Internet Security (CIS) policies provide compliance coverage for Microsoft Windows 8, Windows 2012, and Windows 2008 R2 operating systems. In addition, the CIS policy for Microsoft Windows 2008 was updated to Version 2.1.0.1.
  • Vulnerability coverage for Cisco NX-OS devices has been added, resulting in more thorough scan results.

Scanning improvement | product

 

New coverage expands your visibility into assets and threats in your environment:

  • Removal of the Adaptive HTTP Fingerprinting option from scan templates eliminates some potential for duplicate fingerprints and false positives.
  • Recursive file searches on Windows systems are now disabled by default, greatly improving policy scan performance. If your internal security practices require this capability or if it is required for certain rules in your policy scans, you can enable this feature on the Policy Manager page of the Scan Template Configuration panel.

 

Weekly vulnerability check update | content

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

  • Adobe
    • AIR
    • ColdFusion
    • Flash
    • Reader
    • Shockwave
  • Apache
    • HTTP
    • Tomcat
  • Apple
    • iTunes
    • Java
    • OS X
    • QuickTime
    • Safari
  • Atlassian JIRA
  • BIND
  • CentOS
  • Cisco
    • ASA
    • IOS
    • PIX
  • Debian GNU/Linux
  • Google Chrome
  • IBM AIX
  • Joomla!
  • jQuery
  • Mozilla
    • Firefox
    • SeaMonkey
    • Thunderbird
  • OpenSSH
  • OpenSSL
  • Oracle
    • Database
    • Java Runtime Environment
    • Linux
    • MySQL
    • Solaris
  • PHP
  • PostgreSQL
  • Samba
  • SUSE
  • Red Hat Enterprise Linux
  • Ubuntu/Linux
  • VideoLAN VLC
  • VMware
    • ESX
    • ESXi
    • Fusion
    • Player
    • Workstation

End-of-life

32-bit installations:

  • Rapid7 will end support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. After that date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

Browser support:

  • Rapid7 has ended support for Firefox Extended Support Release (ESR) 17.x in alignment with Mozilla's Extended support policy.
  • Rapid7 will end support for Internet Explorer 8 on April 8, 2014 in alignment with Windows XP end of support.


Product Update IDs

  • Linux 32 | Update ID: 1883808340
  • Linux 64 | Update ID: 2510727430
  • Windows 32 | Update ID: 1991768227
  • Windows 64 | Update ID: 1422091837

Content update ID

  • Update ID: 3528776729

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.


Attachments

    Outcomes