Nexpose August 2015 release annoucements

Document created by mglinski Employee on Aug 4, 2015Last modified by mglinski Employee on Sep 8, 2015
Version 17Show Document
  • View in full screen mode

To help you protect your environment against ever-evolving security threats, Rapid7 releases coverage updates for Nexpose on a weekly basis. Product IDs and installer links are added the day of the release. This page contains detailed announcements for the most recent Nexpose coverage releases:

To help you protect your environment against ever-evolving security threats, Rapid7 releases coverage updates for Nexpose on a weekly basis. Product IDs and installer links are added the day of the release. This page contains detailed announcements for the most recent Nexpose coverage releases:


This Rapid7® Nexpose® 5.17.0 release contains:         

  • database update notification
  • application improvements
  • accuracy improvement
  • recurring coverage


You still have time to upgrade your database!

Keep getting important and innovative Nexpose updates. Upgrade now to the latest version of PostgreSQL! New checks often require the latest product updates, so you'll need to upgrade to take advantage of all available security coverage.

  • If you haven't upgraded yet, it's easy; but do it soon!
    • You'll be able to get next week's product update, Nexpose 5.17.1. After that, you won't be able to access any more product updates without upgrading.
    • To access the migration utility, click the Learn more link in the upgrade notification in the Security Console. The utility guides you through the process and estimates how long it will take, based on your database size.

      s_NX_upgrade_link.png
    • Note: Running automatic or manual product updates does not upgrade the database. The only way to upgrade is to use the migration utility.
    • Read this blog post: The easy button for updating your Nexpose database, which describes how easy it is to run the migration, and includes a link to a short video tutorial.
    • Read this blog post: Get on the Path to Superpowers in only 1 Hour! for more information on why it's important to upgrade PostgreSQL.
  • If you've upgraded already, great! You're all set to keep receiving updates.


Have you tuned your Nexpose database?

Tuning your Nexpose database is an important best practice to ensure optimal performance for new features and core Nexpose operations, such as integrating scan data and generating reports. After you upgrade your database to the latest version (see preceding note) make sure to tune your PostgreSQL settings. See the section Tuned PostgreSQL settings in the Nexpose Administrator's Guide, which you can download from the Rapid7 community.


Application improvements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

      • You can now import asset data collected by the Rapid7 Labs Project Sonar, which is an initiative to scan all Internet sites. Because Sonar provides an "outsider" view of public-facing assets, this is a useful way to get an expanded view of the attack surface of your organization's Internet presence.
        • The import process involves activating a pre-configured connection in which the Security Console queries the Sonar server for asset data from a given domain.
        • Once you import Sonar data, you can organize the assets into dynamic asset groups and scan them for vulnerabilities or policy compliance.
        • Note that assets imported from Project Sonar do not count against your licensed asset scan limit. Any imported assets that you scan with vulnerability or policy checks will count against the limit.
        • For more information on Project Sonar, go to https://sonar.labs.rapid7.com

          s_nx_sonar_select_connection.png
        • We have introduced a number of improvements to scan management features to give you more flexibility and control:
          • When you click the Scan asset now button to run a manual scan on a single asset, you can select which site to scan the asset in, if the asset belongs to more than one site and if you have asset linking enabled. This can be useful in situations such as verification of a Patch Tuesday update on a Windows asset.
          • Also, when scanning a single asset, you can change the scan template from the one assigned in the site configuration. You may, for example, want to confirm remediation of an issue that caused a PCI scan to fail on a given asset. By switching to a PCI template, you can quickly make that confirmation.
          • When running a manual scan on a site, you can now change the Scan Engine from the one assigned in the site configuration. If you know, for example, that the currently assigned engine is in use, you can switch to a free one.
          • If you're a Global Administrator, you can stop all running and paused scans with one action. This is helpful in situations such as network outages, when you want to halt all scan activity quickly.

Watch a video.

      • We addressed an issue to ensure that only correct data appears in the Standard Policies table on an asset details page. If you use standard policy checks in your scans, you will be able to make more accurate assessments of your asset compliance.


Accuracy improvements | content

          

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

      • Fingerprinting of VMware ESX and ESXi hypervisors has been enhanced for better results so that you can track these products in your environment.


Recurring coverage | content

      • New and updated vulnerability checks help you protect your environment against the latest threats. See all the operating systems and applications covered by these updates.


Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.


Product Update IDs

      • Linux 64 | Update ID: 1614055174
      • Windows 64 | Update ID: 1048060256


Content update ID

      • Update ID: 1911912326

This Rapid7® Nexpose® 5.16.3 release contains:                       

  • database update notification
  • application improvements
  • accuracy improvements
  • scanning improvement
  • new and recurring coverage


The clock is ticking! Upgrade your database by August 27!

 

August 27th is just days away! In order to access important and innovative Nexpose updates, you must upgrade to the latest version of PostgreSQL by August 27, 2015! New checks often require the latest product updates. You'll need to upgrade to take advantage of all available security coverage.

 

 

To access the migration utility, click the Learn more link in the upgrade notification in the Security Console. The utility guides you through the process and estimates how long it will take, based on your database size.

s_NX_upgrade_link.png


Have you tuned your Nexpose database?

Tuning your Nexpose database is an important best practice to ensure optimal performance for new features and core Nexpose operations, such as integrating scan data and generating reports. After you upgrade your database to the latest version (see preceding note) make sure to tune your PostgreSQL settings. See the section Tuned PostgreSQL settings in the Nexpose Administrator's Guide, which you can download from the Rapid7 community.


Application improvements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • You can now manage Security Console operations in Simplified Chinese, Japanese, or Korean. To change the language, click the User Preferences link under your user name in the upper-right-hand corner of the Web interface, and select your preferred language from the drop-down list labeled Display User Interface In. This release represents a significant investment in globalization to better support all of our customers. We will continue to invest in localization of vulnerability coverage, remediation guidance, new features, and documentation. Certain areas of the Web interface are not yet localized, and we will track these for updates in future releases:
    • NSX configuration
    • Dynamic Discovery connections
    • Dynamic Discovery statistics
    • Ticketing, which includes listing tickets and creating and editing tickets
    • Command Console
    • Diagnostics

s_nx_vun_sim_chinese.png

  • We corrected an issue to ensure that past scans are displayed in the scan calendar. This helps you keep track of when scans last ran so that you can plan future scans accordingly and prevent gaps in coverage.


Accuracy improvements | content

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • Vulnerability descriptions no longer include incorrectly placed special characters, making these descriptions easier to read.
  • We have removed coverage for certain Mozilla Firefox vulnerabilities that were incorrectly applied to PC installations of the browser. These particular vulnerabilities only affect Android platforms. This correction ensures more accurate vulnerability assessment of Firefox.
  • The check for PHP vulnerabilities CVE-2015-1351 and CVE-2015-1352 is now more accurate so that you can prioritize remediation efforts with better information.
  • The description and solution for Untrusted TLS/SSL server X.509 certificate (tls-untrusted-ca) are now more informative so that you have a better understanding of how this vulnerability exposes your environment and how to remediate it.
  • We have consolidated steps in vulnerability solutions that involve setting minimum password lengths. This makes the solutions easier to read and implement.
  • Remediation steps for the Disable IP source routing vulnerability are now clearer and easier to follow.


Scanning improvement | product & content

Better scan performance helps you to retrieve scan results more quickly with improved accuracy and more efficient use of resources:

  • We fixed a fingerprinting issue that could potentially cause scans to fail so that you can gather the important information that fingerprinting provides without disrupting scans.


Coverage improvements | product & content

New coverage expands your visibility into assets and threats in your environment:

  • New coverage verifies that Microsoft's patch for the Internet Explorer vulnerability announced in its out-of-band MS15-093 security bulletin (August 18, 2015) has been applied to relevant assets in your environment.
  • If your organization uses Oracle Database 11gR2, you can now scan target installations to verify that they comply with Center for Internet Security (CIS) policies.


Recurring coverage | content

  • New and updated vulnerability checks help you protect your environment against the latest threats. See all the operating systems and applications covered by these updates.


Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.


Product Update IDs

  • Linux 64 | Update ID: 1415216635
  • Windows 64 | Update ID: 554001721


Content update ID

  • Update ID: 2556229186

 


This Rapid7® Nexpose® 5.16.2 release contains:                  

  • database update notification
  • application improvements
  • accuracy improvement
  • August 2015 Patch Tuesday checks and recurring coverage


Upgrade your database by August 27!  

Upgrade to the latest version of PostgreSQL by August 27, 2015, in order to access important and innovative Nexpose updates. New checks often require the latest product updates, so be sure to upgrade to take advantage of all available security coverage.


Click the Learn more link in the upgrade notification in the Security Console to access the migration utility. The utility guides you through the process and estimates how long it will take, based on your database size. Watch this brief tutorial on how to upgrade your database, and see this blog for more information.

s_NX_upgrade_link.png


Have you tuned your Nexpose database?          

Tuning your Nexpose database is an important best practice to ensure optimal performance for new features and core Nexpose operations, such as integrating scan data and generating reports. After you upgrade your database to the latest version (see preceding note) make sure to tune your PostgreSQL settings. See the section Tuned PostgreSQL settings in the Nexpose Administrator's Guide, which you can download from the Rapid7 community.


Application improvements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • We have addressed a vulnerability in the console that could allow malicious parties to launch a complex attack resulting in information disclosure or Denial of Service. Thanks to independent security researcher Jared McLaren for discovering and reporting the issue to us.
  • If you want to run a manual scan, and you only have one site, the Site setting does not appear as a drop-down list but as a label. This eliminates confusion, making it clear that only one site is available, so that you can proceed with the scan.
  • If you are running a remediation report on vulnerable assets with a risk score of 0, the report now includes solutions for them, so that your team will have access to the steps to correct security issues on these assets.
  • When a scan is paused and then stopped, the status page now identifies who stopped the scan instead of indicating Completed successfully. If you manage your team's scanning operations, this feature makes it easier to understand why a particular scan ended before a truly successful completion.
  • The Web interface page for a scan now shows the template that was used for that particular scan instead of the template that is currently configured for the site. If you use multiple templates within a site, this improvement gives you a better understanding of how the settings for a given scan influenced its results.


Accuracy improvement | content

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • We corrected an issue that could cause a scan to hang during the attempt to acquire the execution channel when connecting to a target running SSH protocol. If you run scans on SSH servers, this improvement ensures better overall performance and results.


August Patch Tuesday checks | content

New vulnerability checks provide up-to-date Microsoft Patch Tuesday scan coverage for August 2015. For information about all current security bulletins covered in this release, see the Microsoft Security Bulletin Summary for August 2015. Use the checks in this update to verify that the latest Microsoft patches have been applied to system assets. These checks help you determine where new risks are located in your environment, allowing you to prioritize what needs to be remediated and help minimize risk.


Recurring coverage | content

  • New and updated vulnerability checks help you protect your environment against the latest threats. See all the operating systems and applications covered by these updates.


Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.


Product Update IDs

  • Linux 64 | Update ID: 3305907770
  • Windows 64 | Update ID: 2430754995

Content update ID

  • Update ID: 25623568

 


This Rapid7® Nexpose® 5.16.1 release contains:        

  • database update notification
  • application improvements
  • scanning improvement
  • accuracy improvement
  • coverage improvement and recurring coverage

 

Database update notification

Upgrade your database to the latest version of PostgreSQL by August 27, 2015, to prepare you for future product updates. View the notification in the Security Console for a link to the migration utility. Watch a video for detailed instructions on how to upgrade the database.


Have you tuned your Nexpose database?

Tuning your Nexpose database is an important best practice to ensure optimal performance for new features and core Nexpose operations, such as integrating scan data and generating reports. After you upgrade your database to the latest version (see preceding note) make sure to tune your PostgreSQL settings. See the section Tuned PostgreSQL settings in the Nexpose Administrator's Guide, which you can download from the Rapid7 community.


Application improvements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • You can now run filtered searches for assets that do not have host names. If your environment includes assets for which names are not available due to issues with your Domain Name Server (DNS) or authentication, for example, this search option ensures that you can track these assets and address their security issues.
  • When you search for assets based on last scan date, the date now refers to the last scan for a given asset rather than for the entire site. If you have assets with earlier scan-end dates than their sites, this ensures that your filtered searches return more accurate results for these assets, helping you keep better overall track of when assets were scanned.
  • A corrected issue ensures that XML and CSV Export formats include vulnerability proofs in all cases, so that you can include proof information whenever you export vulnerability data in these report formats.
  • If you generate e-mails from the Security Console to send alerts or distribute reports, you will see several improvements for the experience and productivity of your recipients:
    • Reports with no vulnerabilities now include the report name in the e-mail subject.
    • The e-mail date format matches RFC 2822 specifications, so that e-mails appear correctly in all languages.
    • If you do not use the SMTP relay option when sending e-mails, and if these e-mails are sent to MX servers, the process selects higher-priority servers instead of servers that may be offline or used less often.


Scanning improvement | product

Better scan performance helps you to retrieve scan results more quickly with improved accuracy and more efficient use of resources:

  • If you have an engine scanning itself, the scan no longer runs indefinitely, so that you won't have scanning resources tied up in these cases.


Accuracy improvement | content 

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • The Center for Internet Security (CIS) policy for Redhat Enterprise Linux (RHEL) 6 is now correctly labeled in the Web interface as version 1.1.0. This fix removes any confusion if you are assessing RHEL 6 assets for CIS compliance.


Coverage improvement | content

New coverage expands your visibility into assets and threats in your environment:

  • A check now detects the use of the password s3cret for Tomcat Application Manager, so that you can reduce the attack surface for brute-force attempts to guess simple passwords.


Recurring coverage | content

  • New and updated vulnerability checks help you protect your environment against the latest threats. See all the operating systems and applications covered by these updates.


Installer links, md5sum links, and virtual appliance links

Click here for the latest installer links, md5sum links, and virtual appliance links.


Product Update IDs

  • Linux 64 | Update ID: 387674112
  • Windows 64 | Update ID: 3957111569


Content update ID

  • Update ID: 3285931173

Attachments

    Outcomes