Component Installs Require Paranoid Checks
Summary With this update, products that are deemed to be components of another application, will now require the scan to be run in paranoid mode to trigger generic vulnerability detection plugins. In this context, “generic vulnerability detection plugins” refers to plugins that cover advisories published by the component vendor (e.g., plugin ID 242325, SQLite < 3.50.2 Memory Corruption) rather than the operating system or “parent” application that distributes the component, either as a part of the operating system or a dependent tool of the parent application. Overview Tenable covers software that can be either installed as base level software, or be included as component software of a larger product installation. Base level software can be updated without any impact to the base product functionality. Component software is typically updated as part of the vendor update for the larger packaged product, and the individual components are not updatable. Non-paranoid scans will report base software vulnerabilities that are actionable. Paranoid scans will report on base software vulnerabilities as well component software vulnerabilities that are not actionable, but still package a potentially vulnerable version of the component. To enhance the accuracy of our vulnerability detection and provide users with greater control over scan results, we are implementing an update affecting how we flag vulnerabilities in software components. Our detection plugins for OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, SQLite, PHP, Python packages and Node.js modules can now identify when these packages are installed as components of another parent application (e.g., SQLite bundled with Trend Micro’s Deep Security Agent), rather than as standalone installs. Key Changes: Non-Paranoid Scans: Scans running in the default mode will no longer flag generic vulnerability detection plugins for these component installs. This is because vulnerabilities in components generally cannot be patched directly; users must wait for the parent application's vendor to issue an update. OS Vendor Advisories Unaffected: This change does not affect plugins for OS vendor security advisories that cover the same vulnerabilities (e.g., plugin ID 243452, RHEL 9 : sqlite (RHSA-2025:12522)). Paranoid Scans: For scans running in paranoid mode, generic vulnerability detection plugins will still trigger for component installs if the detected version is lower than the expected fixed version. Expected Impact: Customers running non-paranoid scans should anticipate seeing a reduction in potential vulnerability findings for OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, SQLite, PHP, Python packages and Node.js modules that are installed as components. Technical Details: The changes are entirely contained within two shared libraries, vcf.inc and vdf.inc, utilized by the affected plugins. This update impacts approximately 750 plugins specific to OpenSSL, Curl, LibCurl, Apache HTTPD, Apache Tomcat, and SQLite. Targeted Release Date: TBD
New CIS Debian Audit Files Summary Customers can now...
New CIS Debian Audit Files Summary Customers can now measure compliance against the latest release of the Debian Linux 11 Benchmark from CIS with the new CIS Debian Linux 11 v1.0.0 audits. These audits have been certified through CIS and can be viewed along with Tenable's other certified products at https://www.cisecurity.org/partner/tenable. Tenable Audit Files CIS Debian Linux 11 v1.0.0 - Level 1 Server CIS Debian Linux 11 v1.0.0 - Level 2 Server CIS Debian Linux 11 v1.0.0 - Level 1 Workstation CIS Debian Linux 11 v1.0.0 - Level 2 Workstation The audits can be downloaded from the Tenable Audits Portal Target Release Date Immediate
Node.js Module Enumeration Detection Updates
Summary Tenable has updated the Node.js module enumeration plugins to reduce false positives and to better identify vulnerabilities when multiple packages are present on the scan target. Change Before this update, the Node.js module enumeration plugins did not attempt to associate detected packages with an RPM or DEB package managed by the Linux distribution. This would cause some packages to report vulnerabilities both based on a Linux distribution vendor’s advisory and a CVE advisory from the Node.js module maintainer. In addition, some Node.js installations on macOS that originated from third-party package managers, or from source, were not detected by the Node.js detection plugin. This would prevent the Node.js module enumeration plugin from running on those macOS assets. In some cases, a large volume of Node.js modules detected would cause the enumeration plugin to crash when attempting to report the list of modules in plugin output. After this update, these issues have been addressed. Vulnerable Node.js modules on Linux assets will be assessed to determine if they are managed by a Linux distribution’s package manager, and if so, will be marked as “Managed” and will not report a vulnerability, unless the Show potential false alarms setting is enabled for the scan. Node.js installs on Windows and macOS that were not previously detected due to the installation method will now be detected, and their installed modules will be enumerated. The module enumeration plugins will no longer report the list of detected modules in plugin output; rather, they will use only internal storage mechanisms to record the detected modules, so that Node.js vulnerability plugins can continue to use that data for version checks. Impact Most customers will notice a reduction in the volume of Node.js module vulnerabilities reported. Some Windows and macOS scan results may show an increase in detected vulnerabilities if Node.js was not previously detected based on the installation method. If a large number of modules is present on a scan target and had previously caused the plugin to malfunction and report no vulnerabilities, those targets may show previously unreported vulnerabilities, as the module enumeration plugin would now complete and allow the vulnerability plugins to execute. Plugins affected 200172 - Node.js Modules Installed (Windows) 179440 - Node.js Modules Installed (macOS) 178772 - Node.js Modules Installed (Linux) 110839 - Node.js Installed (Windows) 142903 - Node.js Installed (macOS) Target Release Date January 5, 2026Various Oracle Products: Patch Mapping Improvements
Summary Improvements have been made to how Nessus plugins determine the installed version of the following Oracle products: Oracle Business Process Management Oracle Business Intelligence Publisher Oracle Business Intelligence Enterprise Edition Oracle Analytics Server Oracle GoldenGate How Patch Mapping Works for these Oracle products Prior to these improvements, the product version was determined by mapping installed patch IDs to a version number based on a lookup/mapping table that we maintain and ship to scanners as part of the feed. Installed patches for most Oracle products, including Enterprise Manager Cloud Control and Agent, are enumerated in one of two possible ways: Linux Local Detections: oracle_enum_products_nix.nbin (plugin ID 71642, requires SSH credentials) Windows Local Detections: oracle_enum_products_win.nbin (plugin ID 71643, requires SMB credentials) Problem This process alone is sometimes problematic, as Oracle releases their patches in stages or sometimes outside of the regular CPU cadence. As our mapping table is manually maintained, some patches are not mapped in time for vulnerability plugin releases, which is a semi-automated process. We have had several instances where our mapping table was not updated in a timely manner - either because Oracle released a new patch ID in an out of band cycle or they released a patch ID that we do not have visibility on. If our scan fails to identify a patch ID that exists in our mapping table, only the base version is reported (e.g. 13.5.0.0.0), possibly resulting in False Positive findings. Improvements We have identified additional methods of determining the version number, including the patch level, without depending solely on the mapping tables. These Oracle detection plugins (see “Impacted Plugins” section below) will now attempt to determine the current patch version based on the Tenable managed static mapping table and also by parsing the description of the patches. Expected Impact Improved accuracy in version detections for these Oracle products, resulting in fewer false positives in downstream vulnerability detection plugins. Impacted Plugins 172516 - oracle_analytics_server_installed.nbin 123684 - oracle_goldengate_installed.nbin 76708 - oracle_bi_publisher_installed.nbin 136765 - oracle_bpm_installed.nbin 170905 - oracle_business_intelligence_enterprise_edition_installed.nbin All Oracle vulnerability plugins dependant upon the individual plugins listed above. Targeted Release Date Tuesday 18 and Wednesday 19 November 2025.Python Package Enumeration - Detection Updates
Summary Tenable has updated the Python package enumeration plugins to reduce false positives and to better identify vulnerabilities when multiple packages are present on the scan target. Change Before this update, the Python package enumeration plugins did not attempt to associate detected packages with an RPM or DEB package managed by the Linux distribution. This would cause some packages to report vulnerabilities both based on a Linux distribution vendor’s advisory and a CVE advisory from the Python package maintainer. In addition, some Python packages present through symbolic links (“symlinks”) on a scan target’s filesystem would report as separate files, instead of a single actual file. Finally, some vulnerability plugins did not correctly report when multiple vulnerable Python packages were present on a scan target. After this update, these issues have been addressed. Vulnerable Python packages on Linux assets will be assessed to determine if they are managed by a Linux distribution’s package manager, and if so, will be marked as “Managed” and will not report a vulnerability, unless the Show potential false alarms setting is enabled for the scan. Vulnerable Python packages detected will be assessed to determine if they are files or symlinks, and only the actual file will be reported. However, if multiple actual files are present, vulnerability detection plugins will correctly report all instances. Impact Most customers will notice a reduction in the volume of Python package vulnerabilities reported. Some scan results may show an increase in detected vulnerabilities if multiple independent installs of a Python package are present on a scan target, but this is much less likely. Detection plugins 181215 Python Installed Packages (Windows) 164122 Python Installed Packages (Linux/UNIX) 186173 Apache Superset Installed (Linux / Unix) 196906 AI/LLM Software Report 171433 Apache Airflow Installed (Linux / Unix) 201192 Horovod Detection 198067 Intel Neural Compressor Library Detection 201189 Keras Detection 201190 NumPy Detection 205587 H2O Detection 205584 LangChain Detection 205585 LLama.cpp Python Bindings Detection 206880 MLflow Detection 205586 OpenAi Detection 214312 AWS RedShift Python Connector Detection 205590 Seaborn Detection 205589 Tensorboard Detection 205588 Theano Detection 237200 Tornado Detection 206027 ZenML Detection 200977 PyTorch Detection 201193 Ray Dashboard Detection 201191 Scikit-learn Detection 195192 TensorFlow Detection 195203 Microsoft Azure Command-Line Interface (CLI) Installed (Linux) 208299 DeepSpeed Detection 208127 AIM Detection 208134 BentoML Detection 208126 Google AI Platform (VertexAI SDK) Detection 213710 Gradio Detection 208129 H2O-3 Detection 208135 H2OGPT Detection 208137 Kedro Detection 241433 Model Context Protocol (MCP) Detection 208131 MLRun Detection 208132 Neptune AI SDK Detection 208140 Ollama Detection 208136 Prefect Detection 208139 PySpark Detection 208138 Microsoft RD-Agent Detection 208141 Tensorflow-hub Detection 208130 NVIDIA TensorRT Detection 208133 Weights & Biases Detection 208128 Weights & Biases Weave Detection Vulnerability plugins 210056 NumPy 1.9.x < 1.21.0 Buffer Overflow 210055 NumPy < 1.22.0 Vulnerability - CVE-2021-34141 210057 NumPy < 1.22.2 Null Pointer Dereference 210054 NumPy < 1.19 DoS 213084 Pandas DataFrame.query Code Injection (Unpatched) 211464 torchgeo Python Library < 0.6.1 RCE 192941 Dnspython < 2.6.0rc1 DoS 193912 aioHTTP < 3.9.4 XSS 211644 aioHTTP 3.10.6 < 3.10.11 Memory Leak 211645 aioHTTP < 3.10.11 Request Smuggling 206721 Jupyterlab Python Library < 3.6.8 / 4.0 < 4.2.5 (CVE-2024-43805) 206977 LangChain Experimental Python Library <= 0.0.14 (CVE-2023-44467) 206722 Jupyter Notebook Python Library 7.0.0 < 7.2.2 (CVE-2024-43805) 212710 Pdoc Python Library <= 14.5.1 (CVE-2024-38526) 187972 PyCryptodome < 3.19.1 Side Channel Leak 193202 PyMongo < 4.6.3 Out-of-bounds Read 213287 python-libarchive Python Library <= 4.2.1 Directory Traversal (CVE-2024-55587) 204790 Python Library Certifi < 2024.07.04 Untrusted Root Certificate 206676 Python Library Django 4.2.x < 4.2.16 / 5.0.x < 5.0.9 / 5.1.x < 5.1.1 Multiple Vulnerabilities 214945 Python Library Django 4.2.x < 4.2.18 / 5.0.x < 5.0.11 / 5.1.x < 5.1.5 DoS 237889 Python Library Django 4.2.x < 4.2.22 / 5.1.x < 5.1.10 / 5.2.x < 5.2.2 Log Injection 194476 SAP BTP Python Library sap-xssec < 4.1.0 Privilege Escalation 200807 urllib3 Python Library < 1.26.19, < 2.2.2 (CVE-2024-37891) 242322 aioHTTP < 3.12.14 Request Smuggling (CVE-2025-53643) 234572 Microsoft Azure Promptflow Python Library promptflow-core < 1.17.2 RCE 234573 Microsoft Azure Promptflow Python Library promptflow-tools < 1.6.0 RCE 241329 Python Library Pillow 11.2.x < 11.3.0 Write Buffer Overflow Target Release Date November 10, 2025
Fudo Security API v2 Compatibility
Summary Tenable is proud to announce compatibility with Fudo API v2. Customers now have the option to use both the API v2 and API v1 of the Fudo Security Privileged Access Management (PAM) solution. The API v2 uses API key authentication and not username and password, so customers using the integration credential now have a field for API URL and API Key. Further information regarding these changes and other helpful configuration tips for scans can be found by following the provided link to the FUDO section of Tenable's documentation page. Impact Existing scan configurations remain unaffected. Customers utilizing the integration will observe that the integration collects identical information, irrespective of the API version employed. Target Release Date 09/16/2025 for TVM and Nessus, TBD for SCImproved Printer Fingerprinting
Summary This document addresses an issue where network printers generate unnecessary prints when scanned, even with the "Don't Scan Printers" setting enabled. The fix involves improving the SNMP identification process for printers by falling back to default community strings and ports if an incorrect community string is initially configured. Background Currently, if a customer configures an incorrect SNMP v1/v2(c) community string for a device, Plugin ID 11933 / "Do not scan printers" fails to revert to using well-known, default SNMP v1/v2(c) community strings and ports, unlike other plugins. This failure can prevent accurate identification of network printers, leading to them being scanned and in some cases, may inadvertently queue print jobs on printers Impact The following assumes the user has enabled the "Do not scan printers" setting in their scan policy and the network printer is correctly identified as such: Potential Decrease in Reported Vulnerabilities: Network printers will be less heavily scanned, potentially leading to a decrease in reported vulnerabilities related to these devices. Slight Increase in Packet Traffic: There will be an increase of approximately three packets per host as the system attempts fallback SNMP connections. Printers Marked as "Dead": Network printers that are successfully identified via SNMP will be marked as "dead" and will not be scanned further. This change aims to enhance the effectiveness of identifying network printers using SNMP, thereby reducing unnecessary and potentially damaging traffic directed at these devices. The resulting decrease in reported vulnerabilities is an expected outcome, as identified printers will no longer be subjected to heavy scanning. Users can continue to scan network printers by enabling the "Scan Network Printers" setting under “Host Discovery -> Fragile Devices -> Scan Network Printers” in the scan policy. This ensures that printers are scanned and not marked as dead, irrespective of fingerprinting. Affected Plugins 11933 ( "Do not scan printers") Affected Scan Policy Settings Discovery -> Host Discovery -> Fragile Devices -> Scan Network Printers Tenable Security Center Tenable Vulnerability Management Tenable Nessus Target Release Date: Monday, September 15, 2025Include/Exclude Path and Tenable Utils Unzip added to Log4j Detection
Summary Tenable has updated the Apache Log4j detection plugins. The Windows plugin will now honor the Include/Exclude Filepath configuration option. The Linux/UNIX plugin will now use the version of ‘unzip’ supplied with the Nessus Agent, when enabled in the Agent’s configuration, and correctly inspect the MANIFEST.MF and pom.properties files. Change Before this update, plugin 156000, Apache Log4j Installed (Linux / Unix), would fail to detect Log4j in specific scan scenarios. The plugin uses several inspection methods to determine if a JAR file is a copy of Log4j. During Nessus Agent scans, as well as scans with ‘localhost’ as a target, the plugin was not properly executing the unzip command to inspect META-INF/MANIFEST.MF and pom.properties files in the JAR archive. If this method was the only option that would result in a successful detection, the copy of Log4j would not be detected properly. In addition, the plugin had failed to launch the unzip binary supplied with the Agent when inspecting files in JAR archives. Note: The Nessus Agent can be configured to use find and unzip binaries that it provides, instead of those supplied by the asset’s operating system. See https://docs.tenable.com/vulnerability-management/Content/Scans/AdvancedSettings.htm#Agent_Performance_Options for more information. Also before this update, plugin 156001, Apache Log4j JAR Detection (Windows), would fail to honor the directories included or excluded for full-disk searches configured in the Windows Include Filepath and Windows Exclude Filepath directives in the Advanced Settings of a scan config. Note: Configuration of these options is described in https://docs.tenable.com/vulnerability-management/Content/Scans/AdvancedSettings.htm#Windows_filesearchOptions. After this update, plugin 156000 will use the Agent-supplied copy of unzip when configured to do so. If this option is not enabled in the scan config, the plugin will use the existing method to find and execute an archive utility supplied by the asset’s operating system. In either case, the plugin will properly inspect Log4j’s MANIFEST.MF and pom.properties files as a version source. Plugin 156001 already properly inspects these files. Also after this update, plugin 156001’s Powershell code will now honor directories included or excluded by the Filepath directives. Plugin 156000 already supported this feature. Impact When scanning Linux / UNIX assets via 'localhost' (i.e. scanning the scanner itself) or with the Nessus Agent, additional Log4j instances from MANIFEST.MF or pom.properties sources may be reported. For Linux Nessus Agents with "Use Tenable supplied binaries for find and unzip" enabled and "Agent CPU Resource Control - Scan Performance Mode" set to Low, plugin 156000 will now properly limit CPU usage during scans. As noted in the product documentation, “Note: Setting your process_priority preference value to low could cause longer running scans. You may need to increase your scan-window timeframe to account for this value.” Customers should be aware of this configuration setting and potential changes to the results provided in the Log4J detection results. When scanning Windows targets, Log4j JAR files stored in paths specified in the Windows Exclude Filepath configuration will no longer be detected. Log4j JAR files stored in paths or drives specified in the Windows Include Filepath configuration that had not been previously scanned will now be detected, assuming they can be assessed before the plugin’s configured timeout has been reached. Plugins 156000 - Apache Log4j Installed (Linux / Unix) 156001 - Apache Log4j JAR Detection (Windows) Target Release Date September 1, 2025Excluding the SUSE Linux Snapshots directory from Language Library enumeration
Summary The “language library” enumeration plugins will now exclude SUSE Linux’s snapshots directory when searching the filesystem. Change Before the update, when enumerating “language libraries” - such as Python packages, Node.js modules, etc. - on SUSE Linux hosts that use btrfs as their filesystem, reduced scan performance was observed. This is because btrfs creates and maintains snapshots in the /.snapshots directory, which can contain multiple redundant copies of files. This caused unnecessary processing on thorough scans. After the update, this snapshots directory has been excluded from searches executed by the find command for language library enumeration plugins on SUSE Linux. Impact This change is expected to improve the performance of scans on SUSE Linux assets. If language libraries were present in snapshots directory, they will no longer show up in Tenable scan results, along with any associated vulnerabilities. If customers would like to scan the snapshots directory, the "Include Filepath" option in the Advanced Scan Settings configuration can be used to force the scanning of these paths. Plugins 178772 - Node.js Modules Installed (Linux / Unix) 190687 - NuGet Installed Packages (Linux / Unix) 164122 - Python Installed Packages (Linux / Unix) 207584 - Ruby Gem Modules Installed (Linux / Unix) Target Release Date September 3, 2025Vulnerability Scanning Container Directory Exclusion Summary
Vulnerability Scanning Container Directory Exclusion Summary Directories that store container image layers will be excluded by default from vulnerability scanning for Tenable Vulnerability Management, Security Center and Nessus. The directories that will be excluded are those configured for container storage by the container management solution. Docker: The "Docker Root Dir:" as returned by the "docker info" command. This is /var/lib/docker by default. Podman: The "graphRoot:" as returned by the "podman system info" command. This defaults to /var/lib/containers/storage. containerd: The "root =" directory as returned by the "containerd config dump" and "containerd config default commands. This location is /var/lib/containers/storage by default. CRI-O: The "storage graph root:" as returned by running "crio status info". This location is /var/lib/containers/storage by default. What is the impact? Vulnerabilities previously detected as a result of scanning these directories will become mitigated on the next scan and findings not returned in future scans. These findings are a result of examining the container image layers on the filesystem. The container may not necessarily be running and represent risk to your organization and customers generally consider these results as false positives since they are managed Docker deployments. Tenable Cloud Security is designed to secure container images and provide pre-deployment validation. Recursively scanning these directories is a resource and time consuming process. The exclusion of the directories may also result in decreased scan times. Can I override the change? You could add an Include Filepath rule to your scan configuration in order to override the default exclusion behavior. This may be found under the Scan Policy Advanced Options. A note of caution that overriding the default behavior could affect scan performance or give results that are unable to be remediated since within a managed container. In order to include a directory that is automatically excluded, the user include filepath has to match the excluded directly exactly. Example: If your Docker configuration uses /var/lib/docker for container storage you would add /var/lib/docker to your user filepath inclusions. Adding a more or less specific location will have no effect. What are the affected plugins? At the time of this release highlight publication, the following plugins are leveraging find: 142023 - Apache Cassandra Installed (Linux) 133766 - Apache Maven Installed (Linux / Unix) 135172 - Oracle NoSQL Database Installed (Linux) 117706 - MagniComp SysInfo Installed (Linux/UNIX) 111679 - FasterXML Jackson Databind Detection for Linux/UNIX 112063 - Kubernetes Installed (Linux) 136340 - nginx Installed (Linux/UNIX) 131566 - Atlassian Jira Installed (Unix / Linux) 147817 - Java Detection and Identification (Linux / Unix) 132771 - Palo Alto Cortex XSOAR Installed (Unix / Linux) 132872 - Foxit Reader Installed (Linux) 174788 - SQLite Local Detection (Linux) 151883 - Libgcrypt Installed (Linux/UNIX) 99671 - Apache Struts Detection for Linux/UNIX 156000 - Apache Log4j Installed (Linux / Unix) 141394 - Apache HTTP Server Installed (Linux) 71642 - Oracle Installed Software Enumeration (Linux / Unix) 156551 - Oracle MySQL Enterprise Monitor Installed (macOS) 124276 - Oracle Tuxedo Installed (Linux/UNIX) 73913 - Oracle WebLogic Server Detection 133962 - Sophos Anti-Virus Installed (Linux) 186361 - VMWare Tools or Open VM Tools Installed (Linux) 187057 - OwnCloud OwnCloud Installed (Linux) 70349 - Adobe Acrobat Installed (Mac OS X) 72202 - JBoss Detection 147022 - SAP Adaptive Server Enterprise (ASE) Installed (Linux) 163488 - Terraform Configuration Detection for Linux/UNIX 77028 - IBM Installation Manager Detection (Linux / Unix) 145032 - IBM WebSphere eXtreme Scale (Linux) 144633 - IBM MQ Server and Client Installed (Linux) 136341 - Dell EMC Data Protection Central Installed (Linux) 133964 - SELinux Status Check 159273 - Dockerfile Detection for Linux/UNIX 174164 - Google Protobuf Go Module Installed (Linux/UNIX) 158567 - Citrix Workspace App Installed (nix) 55420 - Adobe Reader Installed (Mac OS X) Target Release Date April 30, 2025