Component Installs Require Paranoid Checks
Summary With this update, products that are deemed to be components of another application, will now require the scan to be run in paranoid mode to trigger generic vulnerability detection plugins. In this context, “generic vulnerability detection plugins” refers to plugins that cover advisories published by the component vendor (e.g., plugin ID 242325, SQLite < 3.50.2 Memory Corruption) rather than the operating system or “parent” application that distributes the component, either as a part of the operating system or a dependent tool of the parent application. Overview Tenable covers software that can be either installed as base level software, or be included as component software of a larger product installation. Base level software can be updated without any impact to the base product functionality. Component software is typically updated as part of the vendor update for the larger packaged product, and the individual components are not updatable. Non-paranoid scans will report base software vulnerabilities that are actionable. Paranoid scans will report on base software vulnerabilities as well component software vulnerabilities that are not actionable, but still package a potentially vulnerable version of the component. To enhance the accuracy of our vulnerability detection and provide users with greater control over scan results, we are implementing an update affecting how we flag vulnerabilities in software components. Our detection plugins for OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, SQLite, PHP, Python packages and Node.js modules can now identify when these packages are installed as components of another parent application (e.g., SQLite bundled with Trend Micro’s Deep Security Agent), rather than as standalone installs. Key Changes: Non-Paranoid Scans: Scans running in the default mode will no longer flag generic vulnerability detection plugins for these component installs. This is because vulnerabilities in components generally cannot be patched directly; users must wait for the parent application's vendor to issue an update. OS Vendor Advisories Unaffected: This change does not affect plugins for OS vendor security advisories that cover the same vulnerabilities (e.g., plugin ID 243452, RHEL 9 : sqlite (RHSA-2025:12522)). Paranoid Scans: For scans running in paranoid mode, generic vulnerability detection plugins will still trigger for component installs if the detected version is lower than the expected fixed version. Expected Impact: Customers running non-paranoid scans should anticipate seeing a reduction in potential vulnerability findings for OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, SQLite, PHP, Python packages and Node.js modules that are installed as components. Technical Details: The changes are entirely contained within two shared libraries, vcf.inc and vdf.inc, utilized by the affected plugins. This update impacts approximately 750 plugins specific to OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, and SQLite. Targeted Release Date: Friday, February 6, 2026
Compliance Windows Command Execution Enhancement
Summary The Windows Compliance Check plugin is implementing an updated library to run commands on Windows targets. The enhancements will include the following benefits. The plugin will improve on its handling of command timeouts. There were issues when long running commands would timeout on the scanner but leave temporary files on the target. This update will force long running checks to close when timing out and remove temporary files. The recently released improved resource management controls for Windows plugins on agents will now be extended to running audits. Potential Impacts: Tenable has gone to great lengths to ensure that the content that it publishes will operate and produce the same results that it always has. Customized audits may exhibit some changes due to the introduced job control of the command execution. These changes tend to be compliance checks that generate different results (failure instead of passing), or the actual values of the check have different text that would affect baseline scans. If custom content does exhibit these issues, strategies to work with the new library can be found in Compliance WMI Library Enhancement. Tenable Plugins 21156 - Windows Compliance Checks Target Release Date February 9, 2026Disable Red Hat repository correlations and strictly use package version checks
Summary With this update, users will now have the ability to disable the requirement to consider the enabled yum updated repositories before proceeding to package version checks to determine vulnerability status for Red Hat Local Security Checks plugins. This option can now be toggled on/off via the scan policy.To toggle this new feature in your scan policy, navigate to Settings > Advanced > Vulnerability Options and toggle "Disable RedHat repository correlations and strictly use package version checks" on/off as desired. Background To understand how Tenable's Red Hat Local Security Checks plugins currently work, please refer to the following document: How Red Hat Local Vulnerability Checks Use Repositories To Determine Scope. Expected Impact Users should potentially expect to see more Vulnerability findings in their scans when this option is enabled. This is expected because the plugins will no longer consider whether or not the target machine has the specified repository enabled to receive the fixed package(s). Instead, the plugins will only check that any version of the affected package is installed, and proceed straight to version comparison. Tenable's RPM package parsing libraries have extensive functionality to ensure package version checks are as accurate as possible, but due to the potential differences in epoch versions and package naming and versioning discrepancies between the different repositories, potential false positives are possible when this feature is enabled. Affected Plugins Red Hat Local Security Checks Targeted Release Date Thursday, February 5, 2026 Note, not all Red Hat Local Security Check plugins can avail of the this feature yet. Only plugins that have include("rpm2.inc") can use this new feature. There is work ongoing to bring all of these plugins up to date.Improvements to Live Kernel Patching Detection
Summary Tenable has improved Live-Patched Kernel detection to include KernelCare. Change Tenable has improved the logic used to detect live-patched kernels to include the running kernel to support KernelCare for Alma Linux, CentOS, CentOS Stream, Fedora, Oracle Linux, Red Hat Linux, and Ubuntu Linux. Impact Upon release, customers using KernelCare will have the running kernel properly detected and referenced during vulnerability scans. Plugin output will specify which live-patch technology (KernelCare in this case) was detected and whether the appropriate hotfix is installed. For example: >The specified patch KernelCare hotfix for ELSA-2025-7898 has been installed. Note: Existing Oracle Linux Plugins must be updated to include the new plugin output. This will not affect live patch functionality -- only plugin output. This will occur over time to reduce churn. It is expected that all plugin updates will be complete by February 16, 2026. No plugin updates will be required for the updated support for Alma Linux, CentOS, CentOS Stream, Fedora, Red Hat Linux, or Ubuntu Linux. Target Release Date February 9th, 2026
[GA] Introducing Tenable Plug-in for Jira (On-Prem) Integration v11.0.0
We are excited to announce the release of the Tenable Plug-in for Jira (On-Prem) Integration v11.0.0. Release Date: January 28, 2026 Download: Tenable Plug-in for Jira On-Prem (Atlassian Marketplace) Docs & User Guide: View Documentation Tenable Integrations Page: Tenable Plug-in for JIRA (on-prem) What’s New in v11.0.0? Jira 11 Support: Added full support for Jira 11.x Data Center environments. Modernized Tech Stack: Updated to support Java 21 and Atlassian SDK-9.9.1. Important Compatibility Note: Version 11.0.0 is NOT backward compatible with Jira versions earlier than 11.x. If you are running Jira 9.x or 10.x, we recommend you upgrade to v11. Questions? We're here to help! Reach out to us at connect.tenable.com. Happy Upgrading! – Ahmad Maruf Tenable Ecosystem Product Management
Ruby Gem Enumeration Detection Updates
Summary Tenable has updated the Ruby gem enumeration plugins to reduce false positives and to better identify vulnerabilities when multiple packages are present on the scan target. Change Before this update, the Ruby gem enumeration plugins did not attempt to associate detected packages with an RPM or DEB package managed by the Linux distribution. This would cause some packages to report vulnerabilities both based on a Linux distribution vendor’s advisory and a CVE advisory from the Ruby gem maintainer. Some gems that are symbolically linked across the filesystem could be detected multiple times. After this update, these issues have been addressed. Vulnerable Ruby gems on Linux assets will be assessed to determine if they are managed by a Linux distribution’s package manager, and if so, will be marked as “Managed” and will not report a vulnerability, unless the [Override normal Accuracy] setting to Show potential false alarms setting is enabled for the scan. Gems that are symbolically linked will be followed to the source file; duplicate detections will be eliminated. The gem enumeration plugins will no longer report the list of detected gems in plugin output; rather, they will use only internal storage mechanisms to record the detected gems, so that Ruby vulnerability plugins can continue to use that data for version checks. Impact Most customers will notice a reduction in the volume of Ruby gem vulnerabilities reported. Detection plugins 240646 - Ruby Gem Modules Installed (macOS) 207584 - Ruby Gem Modules Installed (Linux) 207585 - Ruby Gem Modules Installed (Windows) Target Release Date March 2, 2026Improved Resource Management Control
Summary Improved resource management control for plugins leveraging Windows Management Instrumentation (WMI) on Nessus Agent 11.1.0 or higher. Impact Customers with Nessus Agent 11.1.0 and later versions will have the ability to granularly control the CPU resources consumed during scans. This update ensures that plugins respect the resource usage setting selected during scan configuration by launching commands as children of the Nessus Agent, rather than invoking them via WMI. The release of these plugins will continue through January, with a phased approach over three weeks. The first release will be January 13th, the second January 20th, and the final planned plugin update on February 9th. Target Release Date Phase 1 plugin set: January 13, 2026 Phase 2 plugin set: January 20, 2026 Phase 3 plugin set: February 9, 2026Research Release Highlight - Backported Vulnerability Detection Improvements
Summary Backporting is the practice of using parts of a newer version of software to patch previous versions of the same software, most commonly to resolve security issues that also affect previous versions. For example, if a vulnerability is patched in version 2.0 of a piece of software, but version 1.0 is also affected by the same security hole, the changes are also provided as a patch to version 1.0 to ensure it remains secure. Tenable Research identifies backported software installs based on the server banners that the service returns. Previously, when a backported install was detected during a non-paranoid scan, downstream vulnerability plugins would not report the install as vulnerable. During a paranoid scan, vulnerability plugins would act upon the version returned in the banner and would flag if a vulnerable version was installed. Exact details of this process were outlined in this article. This approach was false positive prone and was difficult to maintain accurately due to inconsistent & untimely information from vendors detailing their backported fixes. Change As discussed in the above article, Tenable Research previously maintained a list of known backported banners. If a delta existed between the release of a backported fix & an update made by Tenable Research, a false positive result may have occurred in scans during this time. Following this change, any banners which indicate the software is packaged by a Linux distribution will be deemed to be backported by default. These types of banners typically follow the format of <product>/<version> (<Operating System>) ( E.g., Apache/1.2.3 (Ubuntu) ). Impact During non-paranoid scans, customers can expect improved coverage for products which contain backport fixes that are detected remotely. As a result of this, a reduction in false positives being reported is also expected. Enabling paranoia in a scan configuration will continue to cause backported installs to be treated as regular installs by vulnerability checks. For more accurate vulnerability checks which don’t rely upon the content in a server banner, customers can leverage credentialed or agent-based local checks. Target Release Date January 22, 2026Distinct Agent Plugin Databases for RPM-Based Distributions
Summary Tenable will now provide separate agent plugin databases for RPM-based Linux distributions. Impact Historically, the majority of plugins for RPM-based Linux distributions have all been distributed via a single artifact. Starting with Nessus Agent 11.1.0, Tenable will now publish separate artifacts based on the following plugin families: Alma Linux Local Security Checks CentOS Local Security Checks Miracle Linux Local Security Checks Oracle Linux Local Security Checks Red Hat Enterprise Linux Local Security Checks Rocky Linux Local Security Checks As a result, customers will see a reduction in the overall size of the agent database (15-31% reduction at rest, 7-14% downloaded), directly leading to smaller updates and reduced resource consumption during the update process. This improvement will be available to all customers using Agent 11.1.0 or later versions. Target Release Date January 13, 2026Research Highlight - New Plugin Family: Miracle Linux Local Security Checks
Summary Tenable will now provide vulnerability check plugins for Miracle Linux. Impact Customers with Miracle Linux systems in their environments will be able to scan them for vulnerabilities. These plugins will belong to the “Miracle Linux Local Security Checks” family. At initial release, there will be approximately 1,500 new plugins for Miracle Linux. Use of these plugins will require Agent 11.1.0 and above. Target Release Date January 13, 2026
