Forum Discussion
Security End-of-Life Plugins Target Release Date Immediate...
This is going to cause us a lot of issues and will greenwash our environment - i.e. make our vulnerability state look much better than it would otherwise be.
Especially because individual vulnerabilities will get rolled up into a single SEoL plugin.
I don't understand why the severities are going to default as informational? If a product is out of support the community has to assume the worst - i.e. the product is vulnerable to unknown vulnerabilities.
I'm going to have to now continually work out any new SEoL plugins and recast them to Critical, I wouldn't be annoyed if I could do a filter on recasts such as any plugin name that contains SEoL recast as critical, but I can't even do that...
Please give us an opt out option or invest in the recast usability, this is such an awful update
Just having old software is not a vulnerability, until it's vulnerable, so INFO as default is not so bad idea
How do you know if it is vulnerable or not if the vendor doesn't acknowledge vulnerabilities in its end of life software?
As Zig wrote Tenable will be monitoring it and will take care.
Anyway - if (for some reasons, like in OT environments) you must have outdated software, then it's your duty to monitor it very carefully and use other methods, like zero-trust, VLAN separation and so on.
You can also always recast such a SEoLplugins to Critical to have it visible in the reports.
I wasn't asking for advice on how to mitigate vulnerabilities, this is about identifying and reporting them.
I already mentioned we can re-cast plugins but the functionality of recasts make this difficult at scale.
