Overview of Callbacks in Log4j Remote Detection Plugins The...
Overview of Callbacks in Log4j Remote Detection Plugins The following is an overview of callbacks in Tenable plugins for Log4Shell that perform remote detection 155998, 156014, 156016, 156017, 156035, 156056, 156115, 156132, 156157, 156158, 156162, 156166, 156197, 156232, 156256, 156257, 156258, 156375, 156445, 156559, and 156669. A HTTP request is sent by the scanner to the target being scanned with a benign payload containing a unique token. The target, if vulnerable, will act on the payload. Tenable tracks the target’s action on the payload via a callback to our hosted environment (plugins 156014, 156016, 156017, 156035, 156056, 156115, 156132, 156157, 156158, 156162, 156166,156197, 156232, 156256, 156257, 156258, 156375, 156445, 156559, and 156669) based on the unique token that was embedded in the initial request or via the LDAP connection callback to the scanner for plugin 155998. The callback is needed given the nature of the vulnerability as execution of the payload happens on the target being scanned. In plugin 155998, the callback happens to the scanner. This is the reason the plugin is not supported on Tenable.io cloud scanners In plugins 156014, 156016, 156017, 156035, 156056, 156115, 156132, 156157, 156158, 156162, 156166, 156197, 156232, 156256, 156257, 156258, 156375, 156445, 156559, and 156669 as part of execution of the payload, the target tries to resolve a domain owned by Tenable. While resolving the domain, Tenable is able to see the unique token that was sent in the initial request and thereby can track the callback. These plugins come with the major benefit that credentials are not required for scanning. However, the callbacks need to be successful for the plugin to be able to identify the exposure. Hence, communication between the target being scanned and the callback server must not be interrupted by intermediary devices. For more details: https://community.tenable.com/s/feed/0D53a00008E3hKzCAJ https://www.tenable.com/blog/cve-2021-44228-proof-of-concept-for-critical-apache-log4j-remote-code-execution-vulnerabilityVulnerability Scanning Container Directory Exclusion Summary
Vulnerability Scanning Container Directory Exclusion Summary Directories that store container image layers will be excluded by default from vulnerability scanning for Tenable Vulnerability Management, Security Center and Nessus. The directories that will be excluded are those configured for container storage by the container management solution. Docker: The "Docker Root Dir:" as returned by the "docker info" command. This is /var/lib/docker by default. Podman: The "graphRoot:" as returned by the "podman system info" command. This defaults to /var/lib/containers/storage. containerd: The "root =" directory as returned by the "containerd config dump" and "containerd config default commands. This location is /var/lib/containers/storage by default. CRI-O: The "storage graph root:" as returned by running "crio status info". This location is /var/lib/containers/storage by default. What is the impact? Vulnerabilities previously detected as a result of scanning these directories will become mitigated on the next scan and findings not returned in future scans. These findings are a result of examining the container image layers on the filesystem. The container may not necessarily be running and represent risk to your organization and customers generally consider these results as false positives since they are managed Docker deployments. Tenable Cloud Security is designed to secure container images and provide pre-deployment validation. Recursively scanning these directories is a resource and time consuming process. The exclusion of the directories may also result in decreased scan times. Can I override the change? You could add an Include Filepath rule to your scan configuration in order to override the default exclusion behavior. This may be found under the Scan Policy Advanced Options. A note of caution that overriding the default behavior could affect scan performance or give results that are unable to be remediated since within a managed container. In order to include a directory that is automatically excluded, the user include filepath has to match the excluded directly exactly. Example: If your Docker configuration uses /var/lib/docker for container storage you would add /var/lib/docker to your user filepath inclusions. Adding a more or less specific location will have no effect. What are the affected plugins? At the time of this release highlight publication, the following plugins are leveraging find: 142023 - Apache Cassandra Installed (Linux) 133766 - Apache Maven Installed (Linux / Unix) 135172 - Oracle NoSQL Database Installed (Linux) 117706 - MagniComp SysInfo Installed (Linux/UNIX) 111679 - FasterXML Jackson Databind Detection for Linux/UNIX 112063 - Kubernetes Installed (Linux) 136340 - nginx Installed (Linux/UNIX) 131566 - Atlassian Jira Installed (Unix / Linux) 147817 - Java Detection and Identification (Linux / Unix) 132771 - Palo Alto Cortex XSOAR Installed (Unix / Linux) 132872 - Foxit Reader Installed (Linux) 174788 - SQLite Local Detection (Linux) 151883 - Libgcrypt Installed (Linux/UNIX) 99671 - Apache Struts Detection for Linux/UNIX 156000 - Apache Log4j Installed (Linux / Unix) 141394 - Apache HTTP Server Installed (Linux) 71642 - Oracle Installed Software Enumeration (Linux / Unix) 156551 - Oracle MySQL Enterprise Monitor Installed (macOS) 124276 - Oracle Tuxedo Installed (Linux/UNIX) 73913 - Oracle WebLogic Server Detection 133962 - Sophos Anti-Virus Installed (Linux) 186361 - VMWare Tools or Open VM Tools Installed (Linux) 187057 - OwnCloud OwnCloud Installed (Linux) 70349 - Adobe Acrobat Installed (Mac OS X) 72202 - JBoss Detection 147022 - SAP Adaptive Server Enterprise (ASE) Installed (Linux) 163488 - Terraform Configuration Detection for Linux/UNIX 77028 - IBM Installation Manager Detection (Linux / Unix) 145032 - IBM WebSphere eXtreme Scale (Linux) 144633 - IBM MQ Server and Client Installed (Linux) 136341 - Dell EMC Data Protection Central Installed (Linux) 133964 - SELinux Status Check 159273 - Dockerfile Detection for Linux/UNIX 174164 - Google Protobuf Go Module Installed (Linux/UNIX) 158567 - Citrix Workspace App Installed (nix) 55420 - Adobe Reader Installed (Mac OS X) Target Release Date April 30, 2025Tenable Research is providing the following supporting...
Tenable Research is providing the following supporting information about the 31 NASL detection plugins and two WAS plugin recently released in response to a critical vulnerability reported in Log4j (Log4Shell). As a reminder, it is recommended that thorough_tests are enabled for all scans using these CVE-2021-44228, CVE-2021-45046, CVE-2021-4104, and CVE-2021-45105 plugins. NASL plugins 156183 Apache Log4j 2.x < 2.17.0 DoS Version check for known vuln Log4j versions related to CVE-2021-45105 in Windows, Unix and Linux systems 156057 Apache Log4j 2.x < 2.16.0 Version check for known vuln Log4j versions related to CVE-2021-45046 in Windows, Unix and Linux systems 156165 Apache Log4j 2.x < 2.16.0 RCE Version check for known vuln Log4j versions related to CVE-2021-45046 in MacOS systems 156164 Apache Log4Shell CVE-2021-45046 Bypass Remote Code Execution - (Direct Check HTTP) Direct Check compatible with Tenable.io Cloud Scanners and restrictive networks Delivers jndi:ldap crafted payloads including Session, JSession and PHPSession into the HTTP headers and then tracks the injection via DNS when the callback is made. Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens This plugin uses DNS (default port 53) for network communication. The following Apache Log4Shell CVE-2021-44228 Direct Checks share common techniques applied on different ports and protocols. They all share the following attributes: Direct Checks compatible with Tenable.io Cloud Scanners and restrictive networks Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens These plugins DNS (default port 53) for network communication. Delivers jndi:ldap crafted header script to select ports on a scan target and then tracks the injection via DNS when the callback is made CVE-2021-44228 direct check not requiring authentication 156669 Apache Log4Shell RCE detection via callback correlation (Direct Check - MSRPC) 156559 Apache Log4Shell RCE detection via callback correlation (Direct Check - RPCBIND) 156445 Apache Log4Shell RCE detection via callback correlation (Direct Check - PPTP) 156375 Apache Log4Shell RCE detection via callback correlation (Direct Check - UPnP) 156258 Apache Log4Shell RCE detection via callback correlation (Direct Check - NTP) 156257 Apache Log4Shell RCE detection via callback correlation (Direct Check - DNS) 156256 Apache Log4Shell RCE detection via callback correlation (Direct Check - SNMP) 156232 Apache Log4Shell RCE detection via callback correlation (Direct Check - SMB) 156197 Apache Log4Shell RCE detection via callback correlation (Direct Check - NetBIOS) 156166 Apache Log4Shell RCE detection via callback correlation (Direct Check - SSH) 156162 Apache Log4Shell RCE detection via callback correlation (Direct Check - Telnet) 156158 Apache Log4Shell RCE detection via callback correlation (Direct Check - IMAP) 156157 Apache Log4Shell RCE detection via callback correlation (Direct Check - POP3) 156132 Apache Log4Shell RCE detection via callback correlation (Direct Check - SMTP) 156115 Apache Log4Shell RCE detection via callback correlation (Direct Check - FTP) 156056 Apache Log4Shell RCE detection via callback correlation (Direct Check - any open port) 156035 VMware vCenter Log4Shell (Direct Check HTTP) Delivers jndi:ldap crafted payloads into the HTTP header of VMWare vCenter applications installed on the remote host on a scan target and then tracks the injection via DNS when the callback is made 156017 Apache Log4Shell RCE detection via callback correlation (Direct Check - SIP) 156016 Apache Log4Shell RCE detection via Path Enumeration (Direct Check HTTP) 156014 Apache Log4Shell RCE detection via callback correlation (Direct Check HTTP) CVE-2021-44228 direct check not requiring authentication Direct Check compatible with Tenable.io Cloud Scanners and restrictive networks Injects payload into the HTTP headers and then tracks the injection via DNS when the callback is made Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens This plugin uses DNS (default port 53) for network communication. 155998 Apache Log4j Message Lookup Substitution RCE (Log4Shell) (Direct Check) CVE-2021-44228 direct check not requiring authentication Scanner sends jndi:ldap string to target and listens for LDAP BIND request from target It is not compatible with Tenable.io cloud scanners and may fail to return results in certain networks due to firewall rules or interference from other security devices. Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens This plugin uses ephemeral ports 50,000-60,000 for network communication 156001 Apache Log4j JAR Detection (Windows) Local Windows detection **recommend Thorough Tests** Checks running processes for Java instances running with Log4j in classpath and records the file paths Searches the file system for .jar files with known vuln Log4j filename matches (if thorough tests is enabled) 156000 Apache Log4j Installed (Unix) Local Linux detection Checks rpm packages for vulnerable Log4j matches (RedHat, Gentoo, SuSE, etc.) Search the file system paths for known vulnerable Log4j matches (if thorough tests is enabled) 155999 Apache Log4j < 2.15.0 Remote Code Execution Local Linux Detection (uses 156000) Version check for known vuln Log4j versions in Unix and Linux systems 156002 Apache Log4j < 2.15.0 Remote Code Execution Local Windows detection (uses 156001) Version check for known vuln Log4j versions in Windows systems 156032 EOL plugin for Log4j 1.x Apache Log4j version < 1.x End of Life / Unsupported Version Detection 156103 Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104) The version of Apache Log4j on the remote host is 1.2. It is, therefore, affected by a remote code execution vulnerability when specifically configured to use JMSAppender. WAS plugins 113075- Apache Log4j Remote Code Execution (Log4Shell) CVE-2021-44228 direct check not requiring authentication Inject payload into the HTTP headers, POST/GET values, XML, JSON, cookies, etc. and then track the injection via DNS when the callback is made Callback is needed given the nature of the vulnerability wherein the target / victim connects back to the host sending the original request and the host is vulnerable if the callback happens 113076- Apache Log4j Remote Code Execution (Log4Shell) CVE-2021-44228 WAS Log4Shell file detection plugin Scan the web application directories for known vulnerable version of the Log4j installation file and flag the host if found
CyberArk Client Certificate Authentication Issue Summary...
CyberArk Client Certificate Authentication Issue Summary Tenable has discovered an issue with our CyberArk Integration and its Client Certificate Authentication to the CyberArk CCP/AIM Web Service API. Customers that have deployed the CyberArk CCP component on Windows Server 2022+ have experienced unsuccessful attempts authenticating to the CCP/AIM Web Service API using Client Certificate Authentication with our CyberArk Integration. This is due to an issue with Windows Internet Information Services (IIS) and certificate authentication over TLS 1.3 and HTTP/2. Change Customers using a Windows Server 2022+ to host their CyberArk CCP must disable TLS v1.3 and HTTP/2 on the IIS manager in order to successfully use Tenable’s CyberArk Integrations that support Client Certificate Authentication. The following Microsoft article describes the issue. https://techcommunity.microsoft.com/blog/iis-support-blog/windows-server-2022-iis-web-site-tls-1-3-does-not-work-with-client-certificate-a/4129738 Impact There are no changes to the integration. Release Date IMMEDIATE
Include/Exclude Path and Tenable Utils Unzip added to Log4j Detection
Summary Tenable has updated the Apache Log4j detection plugins. The Windows plugin will now honor the Include/Exclude Filepath configuration option. The Linux/UNIX plugin will now use the version of ‘unzip’ supplied with the Nessus Agent, when enabled in the Agent’s configuration, and correctly inspect the MANIFEST.MF and pom.properties files. Change Before this update, plugin 156000, Apache Log4j Installed (Linux / Unix), would fail to detect Log4j in specific scan scenarios. The plugin uses several inspection methods to determine if a JAR file is a copy of Log4j. During Nessus Agent scans, as well as scans with ‘localhost’ as a target, the plugin was not properly executing the unzip command to inspect META-INF/MANIFEST.MF and pom.properties files in the JAR archive. If this method was the only option that would result in a successful detection, the copy of Log4j would not be detected properly. In addition, the plugin had failed to launch the unzip binary supplied with the Agent when inspecting files in JAR archives. Note: The Nessus Agent can be configured to use find and unzip binaries that it provides, instead of those supplied by the asset’s operating system. See https://docs.tenable.com/vulnerability-management/Content/Scans/AdvancedSettings.htm#Agent_Performance_Options for more information. Also before this update, plugin 156001, Apache Log4j JAR Detection (Windows), would fail to honor the directories included or excluded for full-disk searches configured in the Windows Include Filepath and Windows Exclude Filepath directives in the Advanced Settings of a scan config. Note: Configuration of these options is described in https://docs.tenable.com/vulnerability-management/Content/Scans/AdvancedSettings.htm#Windows_filesearchOptions. After this update, plugin 156000 will use the Agent-supplied copy of unzip when configured to do so. If this option is not enabled in the scan config, the plugin will use the existing method to find and execute an archive utility supplied by the asset’s operating system. In either case, the plugin will properly inspect Log4j’s MANIFEST.MF and pom.properties files as a version source. Plugin 156001 already properly inspects these files. Also after this update, plugin 156001’s Powershell code will now honor directories included or excluded by the Filepath directives. Plugin 156000 already supported this feature. Impact When scanning Linux / UNIX assets via 'localhost' (i.e. scanning the scanner itself) or with the Nessus Agent, additional Log4j instances from MANIFEST.MF or pom.properties sources may be reported. For Linux Nessus Agents with "Use Tenable supplied binaries for find and unzip" enabled and "Agent CPU Resource Control - Scan Performance Mode" set to Low, plugin 156000 will now properly limit CPU usage during scans. As noted in the product documentation, “Note: Setting your process_priority preference value to low could cause longer running scans. You may need to increase your scan-window timeframe to account for this value.” Customers should be aware of this configuration setting and potential changes to the results provided in the Log4J detection results. When scanning Windows targets, Log4j JAR files stored in paths specified in the Windows Exclude Filepath configuration will no longer be detected. Log4j JAR files stored in paths or drives specified in the Windows Include Filepath configuration that had not been previously scanned will now be detected, assuming they can be assessed before the plugin’s configured timeout has been reached. Plugins 156000 - Apache Log4j Installed (Linux / Unix) 156001 - Apache Log4j JAR Detection (Windows) Target Release Date September 1, 2025
🚨 Announcing: Tenable AI Exposure 🚨
AI platforms like ChatGPT Enterprise and Microsoft Copilot are boosting productivity, but they also expand your attack surface. AI Exposure, now in Tenable One, gives security teams the visibility and control they need to see, secure, and govern AI use across the organization. Tenable AI Exposure is currently available as a private customer preview for companies actively using ChatGPT Enterprise and/or Microsoft Copilot. If you are interested in joining this exclusive 120-day preview, please sign up through the form found on our product page. With AI Exposure, customers will be able to: Gain deep visibility into AI usage, including prompts, data flows, and risky interactions Identify misconfigurations or unsafe integrations that may expose sensitive data Monitor for AI-specific threats like prompt injection or other AI attacks Enable enforcement of organizational policies and governance standards for AI usage Deploy quickly without agents or disruptions in five minutes or less 🔍 To learn more about AI Exposure, visit our product page.Improved Printer Fingerprinting
Summary This document addresses an issue where network printers generate unnecessary prints when scanned, even with the "Don't Scan Printers" setting enabled. The fix involves improving the SNMP identification process for printers by falling back to default community strings and ports if an incorrect community string is initially configured. Background Currently, if a customer configures an incorrect SNMP v1/v2(c) community string for a device, Plugin ID 11933 / "Do not scan printers" fails to revert to using well-known, default SNMP v1/v2(c) community strings and ports, unlike other plugins. This failure can prevent accurate identification of network printers, leading to them being scanned and in some cases, may inadvertently queue print jobs on printers Impact The following assumes the user has enabled the "Do not scan printers" setting in their scan policy and the network printer is correctly identified as such: Potential Decrease in Reported Vulnerabilities: Network printers will be less heavily scanned, potentially leading to a decrease in reported vulnerabilities related to these devices. Slight Increase in Packet Traffic: There will be an increase of approximately three packets per host as the system attempts fallback SNMP connections. Printers Marked as "Dead": Network printers that are successfully identified via SNMP will be marked as "dead" and will not be scanned further. This change aims to enhance the effectiveness of identifying network printers using SNMP, thereby reducing unnecessary and potentially damaging traffic directed at these devices. The resulting decrease in reported vulnerabilities is an expected outcome, as identified printers will no longer be subjected to heavy scanning. Users can continue to scan network printers by enabling the "Scan Network Printers" setting under “Host Discovery -> Fragile Devices -> Scan Network Printers” in the scan policy. This ensures that printers are scanned and not marked as dead, irrespective of fingerprinting. Affected Plugins 11933 ( "Do not scan printers") Affected Scan Policy Settings Discovery -> Host Discovery -> Fragile Devices -> Scan Network Printers Tenable Security Center Tenable Vulnerability Management Tenable Nessus Target Release Date: Monday, September 15, 2025
September 2025 product newsletter
Greetings! Check out our September newsletter to learn about the latest product and research updates, upcoming and on-demand webinars and educational content — all to help you get more value from your Tenable solutions. NEW! Tenable AI Exposure We have officially launched the Tenable AI Exposure platform. This platform helps you see, secure and manage how your organization uses AI tools like ChatGPT Enterprise and Microsoft Copilot across your enterprise. Safeguard sensitive data, stop AI-driven attacks and establish governance for safe AI adoption. Be among the first to try it! Learn more and sign up for the private customer preview here. Tenable One August 2025 release: This month's release delivers faster insights, broader coverage and greater control over your exposure data. Release highlights: Dashboard enhancements: With daily data updates, new chart types and dedicated filters for CISA KEV and end-of-life software, Tenable One dashboards now make it easier to analyze specific risks, communicate impact and speed up response. Tenable On-Prem Connector: Install the Tenable On-Prem Connector to create a secure, encrypted connection to safely bring on-premises exposure data into Tenable One. Get the insights you need without putting your network at risk. Asset information source display: Deduplication in Tenable One is key to ensuring a clean, accurate view of each asset, without redundant information from multiple sources. With this release, the asset details screen now clearly displays the source that populates findings and property information, so your team fully understands and trusts asset data. Dynamic asset tagging: Define dynamic rule-based criteria that automatically apply tags to all Tenable One data for easier customization and greater control over tagging rules. This improvement enables smarter segmentation, precise asset management and deeper analysis across the platform. Explore all platform enhancements Tenable Connect Coming soon: Enhanced Support case experience We're excited to announce a new case creation and management experience. This release will streamline how you open and track cases while leveraging Generative AI to improve search and help you find answers faster. Stay tuned for enablement resources posted within Tenable Connect to maximize this new functionality. Tenable Cloud Security Reminder: Tenable Cloud Security requires that you log in to view documentation and release notes. To try/see the product, contact your account manager – or request a demo. Read all about it: New Tenable white paper by Analyst IDC: “Bridging cloud security and exposure management for unified risk reduction.“ This commissioned piece explores the value of exposure management and Tenable strengths. White paper • Blog Featuring fintech customer Snoop. We are honored to share the Tenable story of Snoop, using CIEM and JIT to enforce least privilege. Video [Want to tell your Tenable story? Let your Tenable rep know. We’d love to capture it!] Security alert: Tenable Research detected a supply chain attack in certain Nx build system packages that exfiltrated secrets to GitHub. GitHub has disabled the repos, yet compromised versions may persist. We’ve flagged any affected packages in your Tenable Console (Vulnerability ID: GHSA-cxm3-wv7p-598c). Act now: Update packages and rotate exposed secrets. Platform: Default Home and Favorite dashboards. Set a default Home dashboard to see your most important security insights first, and mark frequently used dashboards as Favorites for instant access. Benefit: These usability updates let you focus on what matters most in your workflow so you can work faster, make informed decisions and keep pace as the platform adapts to your needs. Japanese language support is here. You can now navigate the full Tenable Cloud Security Console in Japanese (switch via your profile menu), and access our documentation portal in Japanese for a smoother, more localized experience. Benefit: Japanese customers are the first to benefit from our new language infrastructure, designed to accelerate the rollout of additional languages. Watch this space! CWP: Workload Protection Clusters filter and column. Identify vulnerable clusters and all related vulnerabilities more easily. (The column is hidden by default.) Resolved filter. In the Workload > Vulnerabilities table, quickly display only vulnerabilities marked as resolved. Benefit: Get clear visibility into cluster-level risks and easily distinguish open from resolved issues to streamline vulnerability management and save time. CSPM: New and updated security best practice support Tenable now supports AWS Foundational Security Best Practices, CIS Azure 2.0, CIS Kubernetes 1.8 and CIS OpenShift 1.5. Benefit: Stay ahead of evolving threats and strengthen your security posture across cloud and container environments. Up-to-date best practices simplify compliance, reduce risk and make it easier to consistently implement proven security controls. DSPM: AWS RDS support for Oracle Data protection scanning is now available for Oracle on AWS RDS, for both Enterprise and Standard license holders. Benefit: Extend visibility into sensitive data stored in Oracle RDS to improve protection and compliance across more of your cloud database environments. Tenable Identity Exposure Tenable Identity Exposure uncovers Storm-0501's cloud identity threats: Financially motivated threat actor Storm-0501 is advancing cloud-based ransomware and hybrid identity compromises to move seamlessly between on-premises Active Directory (AD) and Microsoft Entra ID. Tactics include initial identity exploitation that compromises AD and abuses non-human synced Global Admin accounts in Entra ID, along with malicious persistence, where they establish backdoors by adding rogue federated domains with tools like AADInternals to gain persistent access and impersonation capabilities. Attacker tactic How Tenable Identity Exposure prevents it Initial compromise Flags high-privilege, improperly synced Entra ID accounts from on-prem AD, a configuration Microsoft advises against. MFA bypass Identifies critical, privileged accounts missing MFA, one of the most exploited gaps in hybrid identity attacks. Malicious persistence Detects backdoor federated domains and anomalous signing certificates using multiple indicators of exposure (IOEs), including: Known Federated Domain Backdoor, Federation Signing Certificates Mismatch, Unusual Federation Certificate Validity, Federated Domains List for verification against legitimate IDPs. Tenable Identity Exposure continuous monitoring of IoEs uncovers and aids remediation of critical identity risks before groups like Storm-0501 can exploit them. Tenable Identity Exposure documentation. Tenable Vulnerability Management Streamline ACSC Essential 8 compliance with new dashboards Simplify and strengthen your Essential 8 reporting with Tenable’s new ASD Essential 8 dashboards. These dashboards take your risk-mitigation SLAs to the next level, giving you a clear, real-time view of progress toward ACSC Essential 8 compliance. Quickly spot gaps, track patching and remediation efforts, and demonstrate measurable risk reduction. Monitor internet-facing assets, ensure critical applications are patched, and confidently report on SLA performance, all in one place. Explore the resources to get started: Applying Tenable’s risk-based VM to the ACSC Essential 8 ASD Essential 8 – Patch Applications dashboard ASD Essential 8 – Internet-Facing Assets dashboard Tenable Security Center Critical security patch 202508.1 now available Protect your Security Center deployment with the new patch 202508.1, which fixes critical third-party vulnerabilities in Apache, PHP and SQLite, including CVE-2025-23048, a critical Apache flaw. The update applies to versions 6.4 through 6.6 and must be installed manually. If you’re running 6.5.0, upgrade to 6.5.1 before applying it. For full details, see the release notes, security advisory, and download the patch; this update will be included in future Security Center releases. Tenable OT Security What's new in Tenable OT Security 4.4 The latest version is now available. It introduces several new features and enhancements to improve visibility, streamline workflows, and expand coverage across your industrial environment. OT asset tag data synchronization: Asset tags you create in Tenable OT Security will sync with Tenable One and Tenable Security Center to integrate OT context directly into your enterprise-wide reporting and security workflows. Policy violations dashboard: A redesigned view aggregates disparate alerts and events (e.g. unauthorized access, configuration changes) into unified and actionable Policy Violations to significantly reduce alert fatigue so you can focus on remediating your most critical exposures. Check out this guided demo to see it in action! PLC product file imports: Import PLC project files (starting with Rockwell Automation) to enrich your asset inventory. This provides deep visibility on live or sensitive OT devices without performing active queries. Merge assets: A new workflow helps you find and merge duplicate asset entries for a cleaner and more accurate OT asset inventory. Foxboro DCS support: Gain visibility into Foxboro Distributed Control Systems to extend security monitoring into complex industrial environments. VXLAN support: Analyze network traffic within Virtual Extensible LANs (VXLAN) to monitor assets and activity in modern virtualized data centers. Multi-interface sensor configuration: A simplified workflow allows a single sensor to simultaneously listen on multiple network interfaces to reduce deployment time and complexity. Review the release notes to learn more about what’s new in this release and how to upgrade. Tenable Nessus Reminder: End of support for Terrascan in all Nessus versions Tenable announced the End of Life for Terrascan in Nessus. The last day to download the affected product(s) is Sept. 30, 2025. Customers will receive continued support through the Last Date of Support. For more information, please refer to the bulletin announcement. Reminder: Nessus 10.9 is generally available Nessus 10.9 introduces several key features to empower your security teams, including offline web application scanning in Nessus Expert. For more information, see the Nessus 10.9 release notes and Nessus 10.9 User Guide. You can also view this announcement under Product Announcements in Tenable Connect. Tenable Training and Product Education Connectors added to Tenable One Intro course The updated Introduction to Tenable One course in Tenable University now shows you how to connect third-party security tools to the exposure management platform, to give you a unified view of risk across your entire attack surface. This no-cost training is open to customers, partners, prospects and the public. Start learning today at Tenable University. Tenable webinars Tune in for product updates, demos, how-to advice and Q&A. See all upcoming live and on-demand webinars at https://www.tenable.com/webinars. Live Oct 1, 2025: Beyond the endpoint: Exposure management that’s proactive. Why endpoint-first vulnerability management isn’t enough. Oct. 7, 2025: Nessus customer update. Troubleshooting common Nessus issues. Oct. 8, 2025: Tenable Vulnerability Management customer update. Operationalizing AI Aware to discover Shadow AI in your environment. Oct. 9, 2025: Tenable One customer update. Identity security in an exposure management program. Oct. 10, 2025: Tenable Security Center customer update. In-depth guide to user roles and permissions. On-demand September Tenable Nessus customer update: From the ground up – building a custom scan policy in Nessus. September Tenable Vulnerability Management customer update: Using Nessus agents in Tenable Vulnerability Management. September Tenable One customer update: Introducing AI Exposure, and other topics. September Tenable Security Center customer update: Answering the CISO – a guide to Assurance Report Cards. Ecosystem view of risk: Integrate cloud security with your security stack. Customer office hours These are recurring ask-me-anything sessions for Tenable Security Center, Tenable Vulnerability Management, Tenable Cloud Security, Tenable Identity Exposure and Tenable OT Security. Time-zone-appropriate sessions are available for the Americas, Europe (including the Middle East and Africa and Asia Pacific (APJ). Learn more and register here.
Vendor Unpatched Vulnerability Coverage Summary Tenable is...
Vendor Unpatched Vulnerability Coverage Summary Tenable is making fundamental improvements to reporting findings for vulnerabilities that do not have a patch available from the vendor (Vendor Unpatched Vulnerabilities). Customers can now scan for Red Hat Enterprise Linux, Ubuntu, and Debian Linux vulnerabilities that do not have a patch available. Impact Customers who opt-in to scanning for Vendor Unpatched Vulnerabilities by adding the “Scan for unpatched vulnerabilities (no patched or mitigations available)” setting to their scan policy will be able to scan for this class of vulnerability. Tenable will publish a plugin for each CVE with a vulnerability without a patch in any affected and supported operating systems. At this time, Red Hat Enterprise Linux, Ubuntu, and Debian Linux are supported for this feature. Should one or more of the vendors release a patch for one or more of the affected packages, the relevant check(s) will be removed from the plugin; if no checks remain, the plugin will be deprecated. Since the information provided by the vendor does not include which versions of a given package are affected, the checks simply test for the presence of the affected package at any version. The initial feature release will contain approximately 6,000 plugins. As these plugins are released, they will be reflected in the Plugin Search results page here. Due to the large number of plugins being released during this initial cycle, customers will experience a significant plugin feed differential. Target Release Date March 4, 2025Find & Unzip Execution Options Summary Instead of...
Find & Unzip Execution Options Summary Instead of running native OS commands of “find” and “unzip”, plugins will use binaries included within the plugin feed for agent-based scanning. This allows CPU consumption to be controlled for the Tenable Nessus Agent for the ‘find’ command. This change will not affect or limit memory consumption. An additional benefit is that if ‘find’ or ‘unzip’ are not found natively on the OS, using from the feed allows full plugin execution with these commands to continue. What is the impact? The change should be transparent to customers and no action is required to be taken except for new scans if you’d like to opt-in to this feature. New Scans Be aware if you have adjusted the Agent CPU settings of Scan Performance to a setting other than the default, which is High, the resulting scan findings may be different than previous scans with the same configuration. This is because the scan may experience timeouts in finding files due to the lower CPU resources. See the next section for how to opt-in to the change, if desired. Existing Scans This change will not apply. The native OS binaries will continue to be used and not subject to Tenable Nessus Agent CPU control settings. PCI-DSS Scans This change will not apply. The native OS binaries will continue to be used and not subject to Tenable Nessus Agent CPU control settings. Due to the PCI-DSS standard requirements, the most complete scan results are required for reporting. Audits Due to the need for thorough and complete results, Audits do not leverage the find or unzip binaries from the Tenable feed. How do I opt-in to the change? An advanced setting within the scan configuration will allow customers to opt-in to using the binaries from the feed. By default, native OS commands will run for ‘find’ and ‘unzip’ as before. Please note, these commands are not subject to agent CPU constraints. For PCI scanning and existing scans, the scan template setting will be not visible and the scanning behavior will be equivalent to opting-out. What are the affected plugins? At the time of this release highlight publication, the following plugins are leveraging find or unzip: Find 142023 - Apache Cassandra Installed (Linux) 133766 - Apache Maven Installed (Linux / Unix) 135172 - Oracle NoSQL Database Installed (Linux) 117706 - MagniComp SysInfo Installed (Linux/UNIX) 111679 - FasterXML Jackson Databind Detection for Linux/UNIX 112063 - Kubernetes Installed (Linux) 136340 - nginx Installed (Linux/UNIX) 131566 - Atlassian Jira Installed (Unix / Linux) 147817 - Java Detection and Identification (Linux / Unix) 132771 - Palo Alto Cortex XSOAR Installed (Unix / Linux) 132872 - Foxit Reader Installed (Linux) 174788 - SQLite Local Detection (Linux) 151883 - Libgcrypt Installed (Linux/UNIX) 99671 - Apache Struts Detection for Linux/UNIX 156000 - Apache Log4j Installed (Linux / Unix) 141394 - Apache HTTP Server Installed (Linux) 71642 - Oracle Installed Software Enumeration (Linux / Unix) 156551 - Oracle MySQL Enterprise Monitor Installed (macOS) 124276 - Oracle Tuxedo Installed (Linux/UNIX) 73913 - Oracle WebLogic Server Detection 133962 - Sophos Anti-Virus Installed (Linux) 186361 - VMWare Tools or Open VM Tools Installed (Linux) 187057 - OwnCloud OwnCloud Installed (Linux) 70349 - Adobe Acrobat Installed (Mac OS X) 72202 - JBoss Detection 147022 - SAP Adaptive Server Enterprise (ASE) Installed (Linux) 163488 - Terraform Configuration Detection for Linux/UNIX 77028 - IBM Installation Manager Detection (Linux / Unix) 145032 - IBM WebSphere eXtreme Scale (Linux) 144633 - IBM MQ Server and Client Installed (Linux) 136341 - Dell EMC Data Protection Central Installed (Linux) 133964 - SELinux Status Check 159273 - Dockerfile Detection for Linux/UNIX 174164 - Google Protobuf Go Module Installed (Linux/UNIX) 158567 - Citrix Workspace App Installed (nix) 55420 - Adobe Reader Installed (Mac OS X) Unzip 193884 - CrushFTP Server Installed (Linux / Unix) 130175 - Apache Tomcat Local Detection 166230 - Apache Commons Text JAR Detection 176069 - Potix ZK Framework Installed (Linux) 130595 - Jenkins Installed (Linux) 123005 - Spring Framework JAR Detection 156000 - Apache Log4j Installed (Linux / Unix) 192571 - Fortra FileCatalyst Direct Server Installed (Linux / Unix) 72202 - JBoss Detection 134049 - Spring Projects Linux Detection 185488 - IBM WebSphere Application Server Liberty Installed (Linux / Unix) 170106 - TIBCO JasperReports Library JAR Detection Target Release Date July 9, 2024 - Tenable Vulnerability Management and Nessus July 15, 2024 - Tenable Security Center
