Forum Discussion
Security End of Life (SEoL) Plugin Conversions 2023 Q3...
Security End of Life (SEoL) Plugin Conversions 2023 Q3
Change
In accordance with the SEoL framework published in late April of this year, we are updating and/or deprecating the legacy “Unsupported <x>” plugins to conform to the new plugin specification. Only the Unsupported plugins listed in the “Deprecated Plugin” table below have been deprecated and replaced with SEoL plugins - all other plugins that detect Unsupported software remain in service.
Impact
Customers should anticipate the legacy “Unsupported <x>” plugins to be deprecated and/or converted to their corresponding SEoL plugins. This may result in new findings and a more detailed picture of the exposure landscape associated with products in the SEoL state.
Customer-created dashboards or reports that use the now-deprecated “Unsupported” plugins should be migrated to use the new SEoL plugins listed below.
For additional details please see the SEoL FAQ knowledge base article from June 2023. This FAQ covers questions about SEoL plugin severity ratings, considerations for extended vendor support agreements, future product coverage.
Converted Plugins
Deprecated Plugin: 78506, Apache Subversion Client Unsupported Version Detection
New Plugin(s): Apache Subversion Client SEoL Plugins
Deprecated Plugin: 78507, Apache Subversion Server Unsupported Version Detection
New Plugin(s): Apache Subversion Server SEoL Plugins
Deprecated Plugin:: 109318, Atlassian JIRA Unsupported Version Detection
New Plugin(s): Atlassian Jira SEoL Plugins
Deprecated Plugin: 151128, VMWare Carbon Black App Control Unsupported Version Detection
New Plugin(s): Carbon Black SEoL Plugins
Deprecated Plugin: 89684, Drupal Unsupported Version Detection
New Plugin(s): Drupal SEoL Plugins
Deprecated Plugin: 156032, Apache Log4j Unsupported Version Detection
New Plugin(s): Log4J SEoL Plugins
Deprecated Plugins: 71458, Nessus Unsupported Version Detection
148832, Nessus Agent Unsupported Version Detection
New Plugin(s): Nessus and Nessus Agent SEoL Plugins
Deprecated Plugin: 117461, Apache Struts Unsupported Version Detection
Deprecated Plugin: 78555, OpenSSL Unsupported
New Plugin(s): OpenSSL SEoL Plugins
List of Deprecated Plugins
78506, 78507, 109318, 151128, 89684, 156032, 71458, 71461, 117461, 78555
Target Release Date
September 29, 2023
Additional Notes
For a complete list of SEoL plugin coverage, please visit https://www.tenable.com/plugins/search?q=%22SEoL%22.
Additional coverage requests can be made via Tenable’s Suggestions Portal at https://suggestions.tenable.com.
3 Replies
The wording "SEoL" is much easier to explain than "unsupported", where one is able to purchase bug/troubleshooting support but that may or may not include security patches. I hope when this makes it to operating systems there can be some standardization for the name pattern across the board. Currently when we use the existing plugins to report just on OSes, this is the list I have to filter for (shown in readable format, its a regex in practice):
Operating [Ss]ystem.*Extended Support
Unsupported.*Operating [Ss]ystem
Unsupported.*OS\b
Operating System Unsupported
Microsoft Windows.*Unsupported Installation Detection
MacOS X Version Unsupported
In my opinion any SEoL should have a severity high or critical. Is there a reason why
182270 "Apache Subversion Server SEoL (1.10.x)"
182333 "Apache Subversion Client SEoL (1.10.x)"
182337 "Apache Subversion Client SEoL (1.9.x)"
182346 "Apache Subversion Client SEoL (1.11.x)"
are rated "low" whereas from the same familiy
182328 "Apache Subversion Client SEoL (1.8.x)"
is rated "critical"?
From past experience the low rated ones will never be adjusted in the future even if they get older and thus more severe (even if there might be arguments to have them "low" today). And also from experience nobody will take care about low ones as this is the often cited "risk based approach"
EDIT:
There are similar inconsistencies with "VMware Carbon Black App Control SEoL" and (sic!) "Tenable Nessus * SEoL"
There should be a consistent rating of "Critical" throughout all SEoL plugins.
Hello Joerg. Please see the blog post which accompanied the release of the SEoL framework earlier this year. Additionally, there is an FAQ document that may help provide clarity.
