Fudo Security API v2 Compatibility
Summary Tenable is proud to announce compatibility with Fudo API v2. Customers now have the option to use both the API v2 and API v1 of the Fudo Security Privileged Access Management (PAM) solution. The API v2 uses API key authentication and not username and password, so customers using the integration credential now have a field for API URL and API Key. Further information regarding these changes and other helpful configuration tips for scans can be found by following the provided link to the FUDO section of Tenable's documentation page. Impact Existing scan configurations remain unaffected. Customers utilizing the integration will observe that the integration collects identical information, irrespective of the API version employed. Target Release Date 09/16/2025 for TVM and Nessus, TBD for SC
Improved Printer Fingerprinting
Summary This document addresses an issue where network printers generate unnecessary prints when scanned, even with the "Don't Scan Printers" setting enabled. The fix involves improving the SNMP identification process for printers by falling back to default community strings and ports if an incorrect community string is initially configured. Background Currently, if a customer configures an incorrect SNMP v1/v2(c) community string for a device, Plugin ID 11933 / "Do not scan printers" fails to revert to using well-known, default SNMP v1/v2(c) community strings and ports, unlike other plugins. This failure can prevent accurate identification of network printers, leading to them being scanned and in some cases, may inadvertently queue print jobs on printers Impact The following assumes the user has enabled the "Do not scan printers" setting in their scan policy and the network printer is correctly identified as such: Potential Decrease in Reported Vulnerabilities: Network printers will be less heavily scanned, potentially leading to a decrease in reported vulnerabilities related to these devices. Slight Increase in Packet Traffic: There will be an increase of approximately three packets per host as the system attempts fallback SNMP connections. Printers Marked as "Dead": Network printers that are successfully identified via SNMP will be marked as "dead" and will not be scanned further. This change aims to enhance the effectiveness of identifying network printers using SNMP, thereby reducing unnecessary and potentially damaging traffic directed at these devices. The resulting decrease in reported vulnerabilities is an expected outcome, as identified printers will no longer be subjected to heavy scanning. Users can continue to scan network printers by enabling the "Scan Network Printers" setting under “Host Discovery -> Fragile Devices -> Scan Network Printers” in the scan policy. This ensures that printers are scanned and not marked as dead, irrespective of fingerprinting. Affected Plugins 11933 ( "Do not scan printers") Affected Scan Policy Settings Discovery -> Host Discovery -> Fragile Devices -> Scan Network Printers Tenable Security Center Tenable Vulnerability Management Tenable Nessus Target Release Date: Monday, September 15, 2025
Include/Exclude Path and Tenable Utils Unzip added to Log4j Detection
Summary Tenable has updated the Apache Log4j detection plugins. The Windows plugin will now honor the Include/Exclude Filepath configuration option. The Linux/UNIX plugin will now use the version of ‘unzip’ supplied with the Nessus Agent, when enabled in the Agent’s configuration, and correctly inspect the MANIFEST.MF and pom.properties files. Change Before this update, plugin 156000, Apache Log4j Installed (Linux / Unix), would fail to detect Log4j in specific scan scenarios. The plugin uses several inspection methods to determine if a JAR file is a copy of Log4j. During Nessus Agent scans, as well as scans with ‘localhost’ as a target, the plugin was not properly executing the unzip command to inspect META-INF/MANIFEST.MF and pom.properties files in the JAR archive. If this method was the only option that would result in a successful detection, the copy of Log4j would not be detected properly. In addition, the plugin had failed to launch the unzip binary supplied with the Agent when inspecting files in JAR archives. Note: The Nessus Agent can be configured to use find and unzip binaries that it provides, instead of those supplied by the asset’s operating system. See https://docs.tenable.com/vulnerability-management/Content/Scans/AdvancedSettings.htm#Agent_Performance_Options for more information. Also before this update, plugin 156001, Apache Log4j JAR Detection (Windows), would fail to honor the directories included or excluded for full-disk searches configured in the Windows Include Filepath and Windows Exclude Filepath directives in the Advanced Settings of a scan config. Note: Configuration of these options is described in https://docs.tenable.com/vulnerability-management/Content/Scans/AdvancedSettings.htm#Windows_filesearchOptions. After this update, plugin 156000 will use the Agent-supplied copy of unzip when configured to do so. If this option is not enabled in the scan config, the plugin will use the existing method to find and execute an archive utility supplied by the asset’s operating system. In either case, the plugin will properly inspect Log4j’s MANIFEST.MF and pom.properties files as a version source. Plugin 156001 already properly inspects these files. Also after this update, plugin 156001’s Powershell code will now honor directories included or excluded by the Filepath directives. Plugin 156000 already supported this feature. Impact When scanning Linux / UNIX assets via 'localhost' (i.e. scanning the scanner itself) or with the Nessus Agent, additional Log4j instances from MANIFEST.MF or pom.properties sources may be reported. For Linux Nessus Agents with "Use Tenable supplied binaries for find and unzip" enabled and "Agent CPU Resource Control - Scan Performance Mode" set to Low, plugin 156000 will now properly limit CPU usage during scans. As noted in the product documentation, “Note: Setting your process_priority preference value to low could cause longer running scans. You may need to increase your scan-window timeframe to account for this value.” Customers should be aware of this configuration setting and potential changes to the results provided in the Log4J detection results. When scanning Windows targets, Log4j JAR files stored in paths specified in the Windows Exclude Filepath configuration will no longer be detected. Log4j JAR files stored in paths or drives specified in the Windows Include Filepath configuration that had not been previously scanned will now be detected, assuming they can be assessed before the plugin’s configured timeout has been reached. Plugins 156000 - Apache Log4j Installed (Linux / Unix) 156001 - Apache Log4j JAR Detection (Windows) Target Release Date September 1, 2025Excluding the SUSE Linux Snapshots directory from Language Library enumeration
Summary The “language library” enumeration plugins will now exclude SUSE Linux’s snapshots directory when searching the filesystem. Change Before the update, when enumerating “language libraries” - such as Python packages, Node.js modules, etc. - on SUSE Linux hosts that use btrfs as their filesystem, reduced scan performance was observed. This is because btrfs creates and maintains snapshots in the /.snapshots directory, which can contain multiple redundant copies of files. This caused unnecessary processing on thorough scans. After the update, this snapshots directory has been excluded from searches executed by the find command for language library enumeration plugins on SUSE Linux. Impact This change is expected to improve the performance of scans on SUSE Linux assets. If language libraries were present in snapshots directory, they will no longer show up in Tenable scan results, along with any associated vulnerabilities. If customers would like to scan the snapshots directory, the "Include Filepath" option in the Advanced Scan Settings configuration can be used to force the scanning of these paths. Plugins 178772 - Node.js Modules Installed (Linux / Unix) 190687 - NuGet Installed Packages (Linux / Unix) 164122 - Python Installed Packages (Linux / Unix) 207584 - Ruby Gem Modules Installed (Linux / Unix) Target Release Date September 3, 2025
🚨 Announcing: Tenable AI Exposure 🚨
AI platforms like ChatGPT Enterprise and Microsoft Copilot are boosting productivity, but they also expand your attack surface. AI Exposure, now in Tenable One, gives security teams the visibility and control they need to see, secure, and govern AI use across the organization. Tenable AI Exposure is currently available as a private customer preview for companies actively using ChatGPT Enterprise and/or Microsoft Copilot. If you are interested in joining this exclusive 120-day preview, please sign up through the form found on our product page. With AI Exposure, customers will be able to: Gain deep visibility into AI usage, including prompts, data flows, and risky interactions Identify misconfigurations or unsafe integrations that may expose sensitive data Monitor for AI-specific threats like prompt injection or other AI attacks Enable enforcement of organizational policies and governance standards for AI usage Deploy quickly without agents or disruptions in five minutes or less 🔍 To learn more about AI Exposure, visit our product page.GA Announcement: Tenable Patch Management 9.3.968.19 (On-Premise) Release
Release Date: July 31, 2025 Download & Instal/Upgrade: Download the latest version (9.3.968.19) here (https://www.tenable.com/downloads/tenable-patch-management) Changelog: See Tenable Patch Management Release Notes (https://docs.tenable.com/release-notes/Content/patch-management/2025.htm#July-31,-2025-) Documentation: Tenable Patch Management Documentation (https://docs.tenable.com/integrations/patch-management/Content/welcome.htm) Hi everyone, Tenable is pleased to announce the release of Tenable Patch Management 9.3.968.19, featuring major feature upgrades, new database server requirements, quality improvements, critical security, and bug fixes across the platform. Tenable strongly recommends upgrading to 9.3.968.19. Key Release Highlights - Cross Platform Installation Enhancements: Cross-platform installers now support runtime parameters, eliminating the need to edit and distribute config files. Use switches similar to the Windows installer. See Tenable Patch Client Installation and Uninstallation (https://docs.tenable.com/integrations/patch-management/Content/client-installation.htm) for guidance. - New Client Auto-Upgrade Feature: A new auto-upgrade process enables clients to seamlessly upgrade to match the server version (9.3+). See Upgrade Tenable Patch Clients Using Automatic Deployments (https://docs.tenable.com/integrations/patch-management/Content/use-auto-deplpys.htm) for steps. - Minimum SQL Server Version Requirement Updated: SQL Server 2017 or higher is now required. Recommended: SQL Server 2019+ with compatibility level 150+. See Database Requirements and Configurations (https://docs.tenable.com/integrations/patch-management/Content/db-req-config.htm) for details. - Resolved SQL Injection Vulnerability: Fixed a SQL injection vulnerability in the login process affecting versions prior to 9.2.XXX, 9.1.XXX, and prior versions. The issue was resolved by implementing parameterized queries. Therefore, Tenable strongly recommends upgrading to 9.3.968.19. See the related Tenable Security Advisory (https://www.tenable.com/security/tns-2025-15) - Microsoft 365 Patching Support: Native Patching Support for the following versions of Microsoft Office: MS 365, Office 2024 LTS, Office 2024, Office 2021, Office 2019 and 2016 (EOL scheduled for Oct 2025), Visio and Project (starting with version 2021). No more manual packaging! Using the new delta updates, monthly updates now reduced to 30-50MB from 3GB per language, saving up to 95% bandwidth. - Fix for Missing DLL Causing Dell Driver Installation Failures: Resolves an issue where Dell drivers failed to install and Compliance Status showed "Non-Compliant" on Clients running 9.2.XXX due to a missing DLL. This release restores the required DLL, ensuring proper functionality for new installations going forward. Please note: Upgraded clients from version 9.1 or 9.0 do include this DLL and will not experience the issue. Server Updates Improvements: -Dynamic Logging Config: Automatically reloads logging settings when config file is updated. -Optimized Bulk Messaging: Default bulk_messaging_batch size reduced from 100 → 25. -Secure Login Queries: Emails are now securely passed via parameterized queries during login. Bug Fixes: -Flexible ACR Input: Now supports both float and integer in ACR field. -Patch Submission Cleanup: Deletes associated strategy records when patch is removed. -Device Status Filtering: Device table only displays relevant product installations. -Workflow Validation: Better validation for runtime expressions in file system operation nodes. -Deployment Approval Checks: Fixed issue where patches deployed without full approval. -STRING_AGG Overflow: Crash resolved when string length exceeds 8,000 chars. -Business Unit & Metadata Health Fixes: Improved accuracy in patch system health and business unit filters. Client Updates New Features: Client Auto-Upgrade UI Support: - Manage upgrade settings. - View current version info. - Pause or trigger upgrades manually. Microsoft 365 Auto-Update Logic: - Disables auto-updates when WSUS is licensed and wsus.O365 = true. - Enables proper scan classification for M365 products. Improvements: -AngularJS upgraded from 19.1.3 → ^19.2.10 -Auto-Reload Logging Config: Log config changes take effect instantly. -jemalloc for Linux Clients: Improves memory efficiency. -Better Filter UI: More readable operators in advanced filters. Bug Fixes: -SMTP Email Blocking: Fixed server startup failure due to invalid SMTP config. -Patch Rescan Delay: Rescan now triggered promptly when patch removed from block list. -macOS VPN Fix: Resolved connection issue over VPN. -Compliance State: Now updates when new patches are found. -UI Menu Fixes: Corrected header icons in User and Patching dashboards. -Data Provider Editor: Fixed switching errors in the data provider settings. - Advanced Filter UI: Enforced correct behavior for NOT operator child conditions. - Folder Search Fix: Resolved parent folder search override in object tables. Questions? We’re a ping away! Reach us at connect.tenable.com. Thanks to everyone involved in making this release happen! – Ahmad Maruf Product Manager Tenable Patch ManagementGA Release 6.1.0 – Tenable Apps on ServiceNow Store Are Now Yokohama Platform Compatible!
Release Date: July 30, 2025 Download and Install/Upgrade: - Service Graph Connector for Tenable (https://store.servicenow.com/store/app/d102bfea1ba46a50a85b16db234bcbf7) - Tenable for ITSM (https://store.servicenow.com/store/app/524caf6e1b246a50a85b16db234bcb3b) - Tenable.ot for Vulnerability Response (https://store.servicenow.com/store/app/b9bcefee1b246a50a85b16db234bcb47) Documentation: ServiceNow Documentation (https://docs.tenable.com/integrations/ServiceNow/Content/Welcome.htm) What’s New: Tenable announces the General Availability of version 6.1.0 for our ServiceNow applications. This release ensures full compatibility with the Yokohama Platform Release. Included Tenable Applications on ServiceNow Store: Service Graph Connector for Tenable, Tenable for ITSM, and Tenable.ot for Vulnerability Response Platform Compatibility: - Tenable Vulnerability Management - Tenable Security Center version 5.7 or later - Tenable OT Security - ServiceNow releases: Washington, Xanadu, Yokohama Required Plugins: If you are upgrading from a legacy version, the following plugins must be installed and updated: Required: - ITOM Discovery License – version 1.0.0 - ITOM Licensing – version 1.0.0 - CMDB CI Class Models – version 1.76.0 - Integration Commons for CMDB – version 2.19.0 Optional (based on use case): - Domain Separation (required when using Domain Separation) - ServiceNow Vulnerability Response – version 23.0.0 (required for Vulnerability Response functionality) - Incident – version 1.0.0 (required for ITSM functionality) Looking Ahead: We are currently finalizing our engineering efforts and are nearing code completion for the upcoming ServiceNow Zurich release. We anticipate that all of our applications will be certified and published either shortly before or soon after the official release. Questions? We're here to help!Reach out to us at connect.tenable.com. Ahmad Maruf Product Manager Tenable EcosystemGeneral Availability (GA) of version 3.1.0 of the Tenable App for Microsoft Sentinel!
Release Date: July 17, 2025 Hi Everyone! We're excited to announce the general availability (GA) of version 3.1.0 of the Tenable App for Microsoft Sentinel! This release includes several key updates, enhancements, and expanded functionality to help you get the most from your integration. Download and Install the App: Tenable App for Microsoft Sentinel - Azure Marketplace (https://azuremarketplace.microsoft.com/en-us/marketplace/apps/tenable.tenable-sentinel-integration) Documentation: Installation and Upgrade Guide (https://docs.tenable.com/integrations/Microsoft/Azure/Content/install-sentinel.htm) Changelog: What's New in v3.1.0? Updated Python runtime to 3.12 Upgraded pyTenable SDK to v1.7.4 Added Support for Web Application Scanning (WAS) Asset and Vulnerability data ingestion Bug fixes and Architectural Redesign Replaced Queue Trigger functions with Durable Functions Added support for Microsoft's Log Ingestion API, including updated papers and playbooks Important Upgrade Information Do not attempt an in-place upgrade. You must remove the existing Function App and associated resources before deploying 3.1.0. This release conforms to Microsoft's new requirements and uses Microsoft's new Log Ingestion API (https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal), which relies on Data Collection Rules (DCRs) and Data Collection Endpoints (DCEs). Due to DCR constraints, tables from previous versions are not compatible and cannot be used. For detailed, step-by-step guidance, refer to the official documentation above. Questions? We're here to help! Reach out to us at connect.tenable.com. - Ahmad Maruf Product Manager Tenable EcosystemTenable Enhances Its Cloud Security Solution with Expanded Just-in-Time Access
Tenable has enhanced its Just-in-Time (JIT) Access capabilities to provide more comprehensive and streamlined cloud security for organizations. The Just-in-Time (JIT) Access feature significantly strengthens cloud security by granting temporary, need-based access to sensitive resources, minimizing the risks associated with persistent privileges. This approach offers several critical benefits for organizations striving to enhance their cloud security posture: Reduced Attack Surface: By eliminating always-on privileges, JIT Access significantly minimizes the window of opportunity for attackers to exploit compromised identities. Enhanced Security Posture: Granting access only when required and for a limited duration adheres to the principle of least privilege, mitigating the risk of both external threats and insider misuse. Seamless User Experience: Tenable's JIT Access offers user-friendly workflows, including integration with popular messaging platforms like Slack and Microsoft Teams, allowing users to request and receive necessary access without disrupting their productivity. Improved Auditability and Compliance: The solution provides a clear and comprehensive audit trail of all access requests, approvals, and session activities, simplifying compliance with various regulatory frameworks. Achieving Zero Standing Privileges: Tenable's JIT Access empowers organizations to move towards a "zero standing privileges" model in their cloud environments, a critical step in modern cybersecurity. For more information, please visit the page.Vulnerability Scanning Container Directory Exclusion Summary
Vulnerability Scanning Container Directory Exclusion Summary Directories that store container image layers will be excluded by default from vulnerability scanning for Tenable Vulnerability Management, Security Center and Nessus. The directories that will be excluded are those configured for container storage by the container management solution. Docker: The "Docker Root Dir:" as returned by the "docker info" command. This is /var/lib/docker by default. Podman: The "graphRoot:" as returned by the "podman system info" command. This defaults to /var/lib/containers/storage. containerd: The "root =" directory as returned by the "containerd config dump" and "containerd config default commands. This location is /var/lib/containers/storage by default. CRI-O: The "storage graph root:" as returned by running "crio status info". This location is /var/lib/containers/storage by default. What is the impact? Vulnerabilities previously detected as a result of scanning these directories will become mitigated on the next scan and findings not returned in future scans. These findings are a result of examining the container image layers on the filesystem. The container may not necessarily be running and represent risk to your organization and customers generally consider these results as false positives since they are managed Docker deployments. Tenable Cloud Security is designed to secure container images and provide pre-deployment validation. Recursively scanning these directories is a resource and time consuming process. The exclusion of the directories may also result in decreased scan times. Can I override the change? You could add an Include Filepath rule to your scan configuration in order to override the default exclusion behavior. This may be found under the Scan Policy Advanced Options. A note of caution that overriding the default behavior could affect scan performance or give results that are unable to be remediated since within a managed container. In order to include a directory that is automatically excluded, the user include filepath has to match the excluded directly exactly. Example: If your Docker configuration uses /var/lib/docker for container storage you would add /var/lib/docker to your user filepath inclusions. Adding a more or less specific location will have no effect. What are the affected plugins? At the time of this release highlight publication, the following plugins are leveraging find: 142023 - Apache Cassandra Installed (Linux) 133766 - Apache Maven Installed (Linux / Unix) 135172 - Oracle NoSQL Database Installed (Linux) 117706 - MagniComp SysInfo Installed (Linux/UNIX) 111679 - FasterXML Jackson Databind Detection for Linux/UNIX 112063 - Kubernetes Installed (Linux) 136340 - nginx Installed (Linux/UNIX) 131566 - Atlassian Jira Installed (Unix / Linux) 147817 - Java Detection and Identification (Linux / Unix) 132771 - Palo Alto Cortex XSOAR Installed (Unix / Linux) 132872 - Foxit Reader Installed (Linux) 174788 - SQLite Local Detection (Linux) 151883 - Libgcrypt Installed (Linux/UNIX) 99671 - Apache Struts Detection for Linux/UNIX 156000 - Apache Log4j Installed (Linux / Unix) 141394 - Apache HTTP Server Installed (Linux) 71642 - Oracle Installed Software Enumeration (Linux / Unix) 156551 - Oracle MySQL Enterprise Monitor Installed (macOS) 124276 - Oracle Tuxedo Installed (Linux/UNIX) 73913 - Oracle WebLogic Server Detection 133962 - Sophos Anti-Virus Installed (Linux) 186361 - VMWare Tools or Open VM Tools Installed (Linux) 187057 - OwnCloud OwnCloud Installed (Linux) 70349 - Adobe Acrobat Installed (Mac OS X) 72202 - JBoss Detection 147022 - SAP Adaptive Server Enterprise (ASE) Installed (Linux) 163488 - Terraform Configuration Detection for Linux/UNIX 77028 - IBM Installation Manager Detection (Linux / Unix) 145032 - IBM WebSphere eXtreme Scale (Linux) 144633 - IBM MQ Server and Client Installed (Linux) 136341 - Dell EMC Data Protection Central Installed (Linux) 133964 - SELinux Status Check 159273 - Dockerfile Detection for Linux/UNIX 174164 - Google Protobuf Go Module Installed (Linux/UNIX) 158567 - Citrix Workspace App Installed (nix) 55420 - Adobe Reader Installed (Mac OS X) Target Release Date April 30, 2025
