Nexpose release announcements - May 2014

Document created by mglinski Employee on Jun 3, 2014
Version 1Show Document
  • View in full screen mode

To help you protect your environment against ever-evolving security threats Rapid7 releases coverage updates for Nexpose on a weekly basis. This page contains archived announcements for earlier Nexpose releases:

For April coverage releases go to Nexpose Release Notes - April 2014. For details about restarting Nexpose after updating and other update information, see Nexpose release FAQ.


 

This Rapid7® Nexpose® 5.9.12 release contains the following updates:                                              

  • application improvements
  • accuracy improvements

                    

Application improvements | product

   Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • The icons for functions related to scanning, editing, and deleting have been updated. This change is part of an ongoing initiative to provide more streamlined navigation and a more consistent look and feel throughout the Web interface.

  • A new icon and workflow make it easier to edit tags and review your changes.

  • The Configuring scan credentials section in Help now includes information on what types of credentials to use for scanning authentication, how the application stores the credentials, and configuration requirements for authenticated scans of Windows targets. This information helps you to optimize your scan results with authentication.
  • Asset inclusion and exclusion fields on the Site Configuration panel and the Global Asset Exclusions page no longer truncate at 32,767 characters. If you have site configurations or global exclusions greater than 32,767 characters, check them to verify your configurations were not altered while this limitation was in effect.
  • The vulnerability exception listing linked from the Administration page now loads correctly in the case where a vulnerability exception has been applied on an asset with an invalid name.

 

Accuracy improvements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • The application now supports the SSH implementation found on Cisco ASA devices.
  • The application now includes enhanced fingerprinting with SNMP v2c.

  

Weekly vulnerability check update | content

See Nexpose Vulnerability Coverage for a list of the operating systems and applications covered by the updated vulnerability and patch checks.

End-of-life

32-bit installations

  • Rapid7 ended support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. Rapid7 will no longer test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

Browser support

  • Rapid7 has ended support for Firefox Extended Support Release (ESR) 17.x in alignment with Mozilla's Extended support policy.
  • Rapid7 has ended support for Internet Explorer 8 in alignment with Windows XP end of support.

Product Update IDs

 

  • Linux 64 | Update ID: 467292045
  • Windows 64 | Update ID: 3763854382

Content update ID

  • Update ID: 868705184

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.


This Rapid7® Nexpose® 5.9.11 release contains the following updates:                                    

  • application improvements

        

Application improvements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • You can now report on trends related to assets applied with certain tags. For example, you can chart risk trends for a tag applied to assets with the highest total risk. This helps you to understand how the Real Context of your assets is related to risk in your environment. This feature is available with report templates that include risk trend charts, such as the Audit, the Baseline Comparison, and the Executive Overview. To use it, select asset tags as a scope filter for one of these templates. Then, in Advanced Settings of your report configuration, select Risk Trend Graphs.

  • The Security Console now restarts up to 50 percent faster.
  • The application can now successfully create more than 32,000 unique scans. This enhanced capacity scales with your security needs over time as you add assets and run scans more frequently.
  • The SANS Top 20 Report is now marked “DEPRECATED” and is no longer available as a template for creating new reports. This template was originally developed to incorporate information from the SANS Top 20 Yearly Vulnerability list, which the SANS Institute no longer maintains or updates. Currently scheduled and running reports will still generate successfully, and you can still save and use copies of reports with this template.
  • Adding a new Scan Engine in the Scan Engine Configuration panel now initiates the process of pairing it with the Security Console. You no longer have to refresh the new Scan Engine connection to udpate its status to Pending because this now happens automatically. You can immediately move on to finishing the pairing process.
  • An issue that caused database diagnostics to fail after a product update has been fixed. You can access the Database Diagnostics control by clicking the Troubleshooting link on the Administration page.
  • A corrected issue ensures that you can exclude assets from all scans while the Security Console calculates risk score trends.
  • A corrected issue ensures that when you save or refresh a Scan Engine in the Scan Engine Configuration panel, the displayed information about the Engine is accurate.

 

Weekly vulnerability check update | content

See Nexpose Vulnerability Coverage for a list of the operating systems and applications covered by the updated vulnerability and patch checks.

End-of-life

32-bit installations

  • Rapid7 ended support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. Rapid7 will no longer test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

Browser support

  • Rapid7 has ended support for Firefox Extended Support Release (ESR) 17.x in alignment with Mozilla's Extended support policy.
  • Rapid7 has ended support for Internet Explorer 8 in alignment with Windows XP end of support.

 

Product Update IDs

 

  • Linux 64 | Update ID: 1992291254
  • Windows 64 | Update ID: 430846447

 

Content update ID

 

  • Update ID: 1340150780

 

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.


This Rapid7® Nexpose® 5.9.10 release contains the following updates:                      

  • May 2014 Patch Tuesday checks
  • coverage improvements
  • application improvements

        

May 2014 Patch Tuesday checks | content

New vulnerability checks provide up-to-date Microsoft Patch Tuesday scan coverage for May 2014. For information about all current security bulletins covered in this release, see the Microsoft Security Bulletin Summary for May 2014. Use the checks in this update to verify that the latest Microsoft patches have been applied to system assets.These checks help you determine where new risks are located in your environment, allowing you to prioritize what needs to be remediated and help minimize risk.

Application improvements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • The application is no longer exposed to certain vulnerabilities when running in FIPS 140-2 mode (CVE-2007-6755, CVE-2011-3389, CVE-2013-0169, and CVE-2014-0625). The application now uses prediction resistance when applying the random number generator algorithm.
  • A correction to an earlier product change ensures that the Scan Engine column appears in the Site Listing table on the Home page.

 

Coverage improvements | product

New coverage expands your visibility into assets and threats in your environment:

  • You can now scan your environment for vulnerabilities in FreeBSD and the FreeBSD Ports and Packages Collection.
  • Vulnerability coverage has been added for a denial-of-service condition affecting some versions of HP iLO (CVE-2014-2601).
  • Fingerprinting has been enhanced for HP iLO devices. This enhancement ensures that the OpenSSL CVE-2014-0160 (Heartbleed) vulnerability check functions properly against HP iLO devices that may be sensitive to a denial-of-service condition outlined in CVE-2014-2601.
  • Authenticated scans of Oracle database installations now detect applied Critical Patch Updates, resulting in significantly improved fingerprinting and vulnerability coverage.
  • The Windows XP End of Support Check no longer identifies Windows Embedded for Point of Service (WEPOS) endpoints as obsolete, since Microsoft is still providing support for these assets.

Weekly vulnerability check update | content

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

  • Adobe
    • AIR
    • ColdFusion
    • Flash
    • Reader
    • Shockwave
  • Apache
    • HTTP
    • Tomcat
  • Apple
    • iTunes
    • Java
    • OS X
    • QuickTime
    • Safari
  • Atlassian JIRA
  • BIND
  • CentOS
  • Cisco
    • ASA
    • IOS
    • PIX
  • Debian GNU/Linux
  • Google Chrome
  • IBM AIX
  • Joomla!
  • jQuery
  • Mozilla
    • Firefox
    • SeaMonkey
    • Thunderbird
  • OpenSSH
  • OpenSSL
  • Oracle
    • Database
    • Java Runtime Environment
    • Linux
    • MySQL
    • Solaris
  • PHP
  • PostgreSQL
  • Samba
  • SUSE
  • Red Hat Enterprise Linux
  • Ubuntu/Linux
  • VideoLAN VLC
  • VMware
    • ESX
    • ESXi
    • Fusion
    • Player
    • Workstation

End-of-life

32-bit installations

  • Rapid7 ended support for 32-bit versions of Nexpose on May 7, 2014, for both Windows and Linux operating systems. Rapid7 will no longer test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

Browser support

  • Rapid7 has ended support for Firefox Extended Support Release (ESR) 17.x in alignment with Mozilla's Extended support policy.
  • Rapid7 has ended support for Internet Explorer 8 in alignment with Windows XP end of support.

 

Product Update IDs

  • Linux 64 | Update ID: 2335673894
  • Windows 64 | Update ID: 1932499511

Content update ID

  • Update ID: 3437790659

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.


This Rapid7® Nexpose® 5.9.9 release contains the following updates:        

  • coverage improvements
  • application improvements

 

Application improvements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • The Scans page now includes a Current Scans table, which gives you the ability to run multiple scan types at once and view scan logs, as well as pause, resume, and restart scans listed in the table. This provides a central location where you can perform these tasks without navigating to other areas of the Security Console.
  • You can now edit a tag name and change the color if applicable, so you can modify tags in cases such as when the tag name is the name of a particular employee who has moved on to other projects.
  • The Security Console Home page now lists all the tags to which you have access, so you can navigate to them more easily.
  • The reporting data model Version 1.2.1 now includes service configuration information so you can query against configuration data such as banners and SSL certificates.
  • The processes for handling the ReportAdhocGenerate API request and SMTP report delivery now consistently delete temporary files once they are no longer in use. This prevents unnecessary disk space usage.
  • When you only have access to an asset rather than a site, you will only be presented with the option to apply a vulnerability exception on the asset level so it is clear to you what action you can perform.

 

Coverage improvements | product & content

New coverage expands your visibility into assets and threats in your environment:

  • You can now scan for vulnerabilities on Juniper Junos OS appliances.

 

Weekly vulnerability check update | content

New vulnerability and patch checks bring coverage up to date for the following operating systems and applications:

  • Adobe
    • AIR
    • ColdFusion
    • Flash
    • Reader
    • Shockwave
  • Apache
    • HTTP
    • Tomcat
  • Apple
    • iTunes
    • Java
    • OS X
    • QuickTime
    • Safari
  • Atlassian JIRA
  • BIND
  • CentOS
  • Cisco
    • ASA
    • IOS
    • PIX
  • Debian GNU/Linux
  • Google Chrome
  • IBM AIX
  • Joomla!
  • jQuery
  • Mozilla
    • Firefox
    • SeaMonkey
    • Thunderbird
  • OpenSSH
  • OpenSSL
  • Oracle
    • Database
    • Java Runtime Environment
    • Linux
    • MySQL
    • Solaris
  • PHP
  • PostgreSQL
  • Samba
  • SUSE
  • Red Hat Enterprise Linux
  • Ubuntu/Linux
  • VideoLAN VLC
  • VMware
    • ESX
    • ESXi
    • Fusion
    • Player
    • Workstation

End-of-life

32-bit installations

  • Rapid7 has ended support for 32-bit versions of Nexpose as of May 7, 2014, for both Windows and Linux operating systems. After this date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

Browser support

  • Rapid7 has ended support for Firefox Extended Support Release (ESR) 17.x in alignment with Mozilla's Extended support policy.
  • Rapid7 has ended support for Internet Explorer 8 in alignment with Windows XP end of support.

 

Product Update IDs

  • Linux 32 | Update ID:  4087092465
  • Linux 64 | Update ID: 2634420729
  • Windows 32 | Update ID: 2192869106
  • Windows 64 | Update ID: 2192869106

Content update ID

  • Update ID: 123004856

Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.


This Rapid7® Nexpose® 5.9.8 release contains the following updates:

Coverage improvements | content

 

  • New checks provide up-to-date scan coverage for vulnerabilities in Microsoft's out-of-band security bulletin dated May 1, 2014. For information about this bulletin, see Microsoft Security Bulletin MS14-021 - Critical. Use the checks in this update to verify that the latest Microsoft patches have been applied to system assets.

End-of-life

32-bit installations

  • Rapid7 has ended support for 32-bit versions of Nexpose as of May 7, 2014, for both Windows and Linux operating systems. After this date, Rapid7 will not test Nexpose or provide bug fixes or technical support for Nexpose on 32-bit installations. For more information, see the end-of-life policy at http://www.rapid7.com/docs/end-of-life-policy.pdf.

Browser support

  • Rapid7 has ended support for Firefox Extended Support Release (ESR) 17.x in alignment with Mozilla's Extended support policy.
  • Rapid7 will end support for Internet Explorer 8 on April 8, 2014 in alignment with Windows XP end of support.

 

 

Product Update IDs

 

  • Linux 32 | Update ID:  3934319177
  • Linux 64 | Update ID: 1941624385
  • Windows 32 | Update ID: 3542127198
  • Windows 64 | Update ID: 849007887

 

Content update ID

 

  • Update ID: 3719355711

 

Installer links, md5sum links, and virtual appliance links

 

Click here for the latest installer links, md5sum links, and virtual appliance links.

Attachments

    Outcomes