Tenable Security Center 2023 Release Notes

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from https://www.tenable.com/downloads/tenable-sc to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops. After the installation finishes, Tenable Security Center automatically restarts.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• php

Filenames and MD5 or SHA-256 checksums are located on the Tenable.sc Downloads page.

If you are running Tenable Security Center 6.1.0 and have enabled updates through the feed, this patch will be applied automatically.

To enable updates through the Tenable Security Center feed:

1. Log in to Tenable Security Center as an Administrator.

2. In the left navigation, click System > Configuration.

   The Configuration page appears.

3. Click the Plugins/Feed tile.

   The Plugins/Feed Configuration page appears.

4. On the Plugins/Feed Configuration page, in the Tenable Security Center Software Updates section, enable the Enable Updates Through the Tenable Security Center Feed option.

   During the next scheduled feed update, Tenable Security Center applies the patch. In the Tenable Security Center Software Updates table, a timestamp appears in the row for the patch in the Last Updated column.

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from https://www.tenable.com/downloads/tenable-sc to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops. After the installation finishes, Tenable Security Center automatically restarts.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• httpd

• install.sh

Filenames and MD5 or SHA-256 checksums are located on the Tenable.sc Downloads page.

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from https://www.tenable.com/downloads/tenable-sc to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops. After the installation finishes, Tenable Security Center automatically restarts.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• httpd

• install.sh

Filenames and MD5 or SHA-256 checksums are located on the Tenable.sc Downloads page.

If you are running Tenable Security Center 5.12.0 or later, you can upgrade directly to Tenable Security Center 6.1.0. If you are running a version earlier than Tenable Security Center 5.12.0, upgrade to Tenable Security Center 5.12.0 before upgrading to Tenable Security Center 6.1.0.

If you are running Tenable Security Center 6.1.0 and you are using pyTenable with the Tenable Security Center API, you must upgrade pyTenable to version 1.4.2 or later.

If you upgrade Tenable Security Center Director, upgrade Tenable Security Center for all managed Tenable Security Center instances connected to Tenable Security Center Director. After upgrading, allow up to 15 minutes for your managed Tenable Security Center instances to sync with Tenable Security Center Director.

Tenable recommends performing a backup before upgrading Tenable Security Center. For more information, see Perform a Backup in the Tenable Security Center User Guide.

Note: This release includes a fix for a potential vulnerability. For more information, see the Tenable Product Security Advisory.

Note: If your upgrade path skips versions of Tenable Security Center (for example, upgrading from 5.20.0 to 5.23.1 to 6.1.0), Tenable recommends reviewing the release notes for all skipped versions. You may need to update your configurations because of features and functionality added in skipped versions.

Note: Tenable Security Center 5.21.0 is the last version of Tenable Security Center that supports Internet Explorer. For more information about other supported browsers, see Web Browser Requirements in the Tenable Security Center User Guide.

Global Search for Assets

Tenable Security Center customers can now use the Global Search feature to search for host assets by IPv4.

For more information, see Search in the Tenable Security Center User Guide.

Domain Inventory Filtering

Tenable Security Center customers can now filter their domain inventory assets.

For more information, see Domain Inventory Filter Components in the Tenable Security Center User Guide.

Linked Users for Non-Admin Accounts

Tenable Security Center customers can now create linked users for Security Manager user accounts.

For more information, see Linked User Accounts in the Tenable Security Center User Guide.

Bulk ACR Edit

Tenable Security Center customers can now edit multiple ACR values at a time.

For more information, see Edit an ACR Manually in the Tenable Security Center User Guide.

Recast Expiration Date

Tenable Security Center customers can now set expiration dates for recast rules.

For more information, see Add a Recast Risk Rule in the Tenable Security Center User Guide.

Tenable One Data Reliability

For customers using the Lumin Connector, Tenable Security Center data in Lumin is now far more reliable as Tenable One now recognizes the host UUID generated by Tenable Security Center.

For more information, see Tenable One Synchronization in the Tenable Security Center User Guide.

Notification Bell Icon

The Tenable.sc header now includes a notification bell, which alerts users of important notifications.

For more information, see Notifications in the Tenable Security Center User Guide.

Wildcards in NetBIOS Name Filter

Tenable.sc customers can now user wildcards and regular expressions in the Vulnerability Analysis NetBIOS Name filter.

For more information, see Vulnerability Analysis Filter Components in the Tenable Security Center User Guide.

Delinea Secret Server PAM

Tenable.sc now supports the Delinea Secret Server PAM authentication method.

For more information, see Windows Credentials, SSH Credentials, and Privilege Escalation in the Tenable Security Center User Guide.

Added commas to numbers with four or more digits to make them easier to read.

Bug Fix	Defect ID
A POST request to create a policy requires that the state (mixed or enabled), and the type (locked or unlocked for a state of mixed, and always unlocked for a state of enabled) be included for each family in the request.	01558364
Added a fix where "Create Plugin scans" is not visible if "Create Scan" is disabled on initial loading of a custom role edit.	01553947
Corrected how Tenable.sc determines if the data is ready to refresh.	01509109
PDFs are no longer encrypted by default. The 'Encrypt PDF' option must be enabled before a PDF is encrypted.	01549696
Fixed issues handling and accounting for early, requested pauses, resumes and stops within the active scan process.	01546822
Fixed loading of AES/ACR from database.	01546444
This fixes a bug where the code was crashing if the user used an external SC API and did not provide a User Agent header.	01538318
Fixed issue where users were unable to copy Dashboard components to Dashboard tabs that they manage but not own.	01401206
Added a sort compare function for the risk reduction column and will sort properly in the dashboard component "Worst of the worst - Top 10 prioritized actions"	01513870
Fixed issue where column "IP/Device Count" did not sort properly in Repositories list view.	01524451
Improvements made to mobile scans to prevent timeouts.	01435903
Fixed user privileges for scan results view to have pause and stop button enabled for the scans created by that user, even without MO enabled.	01512444
typeFields was not handled properly for few credential types. Now all supported credential types support typeFields.	01489431
Optimization of backend queries during the SC feed process. This saves PHP memory and prevents PHP 'out of memory' issues.	01510611, 01508444, 01532158, 01537509
When creating a scan policy, setting "Search for DTLS" to anything other than 'None' saves correctly now.	01503411
Fixed an issue where importing a scan causes a "license check failed" error.	01501139, 01515264
Fixed an issue where column "Owner" did not sort properly in Active Scans list view.	01498956
Fixed an issue where old scan results were not being cleaned up when an expiration lifetime was configured.	01488760
Large Tenable Security Center Debug logs will no longer throw memory related issues.	01493694, 01497471, 01550915
Fixed an issue where the post-scan report was not generated if the active scan was created via API.	01439481
Bug Fix	Defect ID
A POST request to create a policy requires that the state (mixed or enabled), and the type (locked or unlocked for a state of mixed, and always unlocked for a state of enabled) be included for each family in the request.	01558364
Added a fix where "Create Plugin scans" is not visible if "Create Scan" is disabled on initial loading of a custom role edit.	01553947
Corrected how TTenable Security Center determines if the data is ready to refresh.	01509109
PDFs are no longer encrypted by default. The 'Encrypt PDF' option must be enabled before a PDF is encrypted.	01549696
Fixed issues handling and accounting for early, requested pauses, resumes and stops within the active scan process.	01546822

• The Address filter on the Domain Inventory page allows users to enter invalid values.

• Some instances of Tenable Lumin still appear in the UI, instead of Tenable One.

• If a user views the View Scan Result page while a scan is running, an error may appear in the admin log. This will not affect the scan.

• There is a cosmetic UI issue with overflowing borders on the Add Dynamic Asset page.

• There can be discrepancies between vulnerability data in Tenable Security Center and Tenable Vulnerability Management when vulnerabilities for dead hosts are removed from the cumulative database.

For more information about the API changes for this release, see the Tenable Security Center API Changelog.

Filenames and MD5 or SHA-256 checksums are located on the Tenable Security Center Downloads page.

The following table lists the Tenable product versions tested with Tenable Security Center 6.1.0.

For information about EOL dates and policies for Tenable products, see the Tenable Software Release Lifecycle Matrix and Policy.

Product	Tested Version
Tenable Nessus	8.9.0 and later
Tenable OT Security	3.9.25 and later
Tenable Log Correlation Engine	6.0.0 and later
Tenable Nessus Network Monitor	5.11.0 and later

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from https://www.tenable.com/downloads/tenable-sc to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops. After the installation finishes, Tenable Security Center automatically restarts.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• libcrypto.a

• libcrypto.so

• libcrypto.so.3

• libssl.so

• libssl.so.3

• install.sh

Filenames and MD5 or SHA-256 checksums are located on the Tenable.sc Downloads page.

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from https://www.tenable.com/downloads/tenable-sc to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops. After the installation finishes, Tenable Security Center automatically restarts.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• libcrypto.so.1.1

• libssl.so.1.1

• openssl

• install.sh

Filenames and MD5 or SHA-256 checksums are located on the Tenable.sc Downloads page.

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from https://www.tenable.com/downloads/tenable-sc to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops. After the installation finishes, Tenable Security Center automatically restarts.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• libcurl.a

• libcurl.la

• libcurl.so.4.8.0

• liblber.so.2.0.200

• libldap.so.2.0.200

• install.sh

Filenames and MD5 or SHA-256 checksums are located on the Tenable.sc Downloads page.

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from https://www.tenable.com/downloads/tenable-sc to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops. After the installation finishes, Tenable Security Center automatically restarts.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• httpd

• install.sh

Filenames and MD5 or SHA-256 checksums are located on the Tenable.sc Downloads page.

Apply the patch to a standalone Tenable Security Center or Tenable Core + Tenable Security Center:

1. Download the patch from https://www.tenable.com/downloads/tenable-sc to Tenable Security Center. You can save the files in any location (e.g., /tmp).

2. Access the command line as a user with root-level permissions.

3. Run the following command to untar the patch file, where [patch file name] is the name of the .tgz patch file you downloaded:

   tar zxf [patch file name]

4. Run the following command to change the directory to the extracted directory, where [directory] is the extracted directory:

   cd [directory]

5. Run the following command to begin the installation:

   sh ./install.sh

   The installation begins and Tenable Security Center stops. After the installation finishes, Tenable Security Center automatically restarts.

What to do next:

• (Optional) Confirm the patch successfully applied to Tenable Security Center, as described in the knowledge base article.

• html/index.html

• html/main.52a1ec78d7f29ac9bc2d.js

• SCILib.php

• style.css

• darkmode.css

• install.sh

Filenames and MD5 or SHA-256 checksums are located on the Tenable.sc Downloads page.

If you are running Tenable Security Center 5.12.0 or later, you can upgrade directly to Tenable Security Center 6.0.0. If you are running a version earlier than Tenable Security Center 5.12.0, upgrade to Tenable Security Center 5.12.0 before upgrading to Tenable Security Center 6.0.0.

If you are running Tenable Security Center 6.0.0 and you are using pyTenable with the Tenable Security Center API, you must upgrade pyTenable to version 1.4.2 or later.

If you upgrade Tenable Security Center Director, upgrade Tenable Security Center for all managed Tenable Security Center instances connected to Tenable Security Center Director. After upgrading, allow up to 15 minutes for your managed Tenable Security Center instances to sync with Tenable Security Center Director.

Tenable recommends performing a backup before upgrading Tenable Security Center. For more information, see Perform a Backup in the Tenable Security Center User Guide.

This release includes an upgrade to OpenSSL 3.0.x. This resolves two issues found in the open source libraries, CVE-2021-3450 and CVE-2021-3449. Both issues were rated High. As a result, X.509 certificates signed using SHA1 are no longer allowed at security level 1 or higher. The default security level for TLS is 1, so certificates signed using SHA1 are by default no longer trusted to authenticate servers or clients. Customers who encounter this issue should upgrade their certificates. For more information, see the OpenSSL 3.0 release notes.

Note: This release includes a fix for a potential vulnerability. For more information, see the Tenable Product Security Advisory.

Note: If your upgrade path skips versions of Tenable Security Center (for example, upgrading from 5.9.0 to 5.12.0 to 6.0.0), Tenable recommends reviewing the release notes for all skipped versions. You may need to update your configurations because of features and functionality added in skipped versions.

Note: Tenable Security Center 5.21.0 is the last version of Tenable Security Center that supports Internet Explorer. For more information about other supported browsers, see Web Browser Requirements in the Tenable Security Center User Guide.

New Look and Feel

The Tenable Security Center look and feel has been modernized by updating the typography, navigation, login screen, and more.

OpenSSL 3.0 Support

Tenable Security Center now supports OpenSSL 3.0.

Oracle Linux 9 and Red Hat Enterprise Linux (RHEL) 9 Support

Added support for Oracle Linux 9 and RHEL 9. Tenable Security Center will continue to support CentOS 7, RHEL 7, and RHEL 8.

For more information, see System Requirements in the Tenable Security Center User Guide.

Dashboard Matrix Default Color Swatches

Tenable Security Center customers can now select from a group of default colors when editing dashboard matrix component rules.

For more information, see Custom Dashboard Component Options in the Tenable Security Center User Guide.

Scan Policy Plugin Management

Tenable Security Center customers can now add and enable plugins in mixed plugin families.

For more information, see Configure Plugin Options in the Tenable Security Center User Guide.

Updating Tenable Security Center Patches Through the Feed

Tenable Security Center customers can now download and install patches directly inside the Tenable Security Center console. There is a new option to automatically install patches with feed updates.

For more information, see Configuration Settings in the Tenable Security Center User Guide.

Health Overview Dashboard

Tenable Security Center has a new Health Overview dashboard that provides quick access to deployment issues. Tenable Security Center customers can use this dashboard to gain better insight and understanding of their Tenable Security Center infrastructure.

For more information, see Health Overview Dashboard in the Tenable Security Center User Guide.

Password Expiration

Tenable Security Center administrative users can now set password expiration settings for users.

For more information, see User Account Options in the Tenable Security Center User Guide.

Current/Previous Year Filter

The Time filter in Tenable Security Center now includes the Current Year and Last Year options.

For more information, see Vulnerability Analysis Filters in the Tenable Security Center User Guide.

Wallix Bastion PAM

Tenable Security Center now supports the Wallix Bastion PAM authentication method.

For more information, see Database Credentials Authentication Method Settings in the Tenable Security Center User Guide.

Global Search

Tenable Security Center customers can now search for vulnerabilities by CVE.

For more information, see Search in the Tenable Security Center User Guide.

Increased PDF Encryption Strength

Tenable Security Center customers can now encrypt PDF reports using a 256 bit AES algorithm.

For more information, see Report Options in the Tenable Security Center User Guide.

Update Asset List before Running Dependent Scans

In Tenable Security Center if a dependent scan is using a dynamic asset list, that asset list will now be updated before the scan runs.

For more information, see Assets in the Tenable Security Center User Guide.

NetBIOS Filter

Tenable Security Center customers can now filter vulnerabilities by NetBIOS name.

For more information, see Vulnerability Analysis Filter Components in the Tenable Security Center User Guide.

Universal Repository

Tenable Security Center customers have access to the new Universal repository type, which can store data from IPv4, IPv6, and Agent repositories.

For more information, see Universal Repositories in the Tenable Security Center User Guide.

CyberARK Credential Updates

Tenable Security Center customers that use CyberArk credentials can now use Address for the Get Credentials By setting.

For more information, see SSH Credentials in the Tenable Security Center User Guide.

Performance improvements for Tenable Security Center Director and syncing repositories.

Bug Fix	Defect ID
Fixes a race condition on login that may have caused incorrect permissions for the logged-in user under poor network conditions.	01504937
Fixed an issue with sorting accept rules by Creator.	01494988
Fixed issues related to chunk deletion and chunk re-injection when scanners go offline during a scan.	01490102, 01496734, 01529623, 01536174
Stopped using recursion to process combination asset lists to prevent using up stack memory.	01485883, 01479281, 01509793, 01475287
The SC feed was updated to exclude the AD Identity Scan policy template.	01483391
Removed *.cloudfront.net from the CSP request header. The domain was previously added to download content for Pendo, but now all external resources are served from a Tenable domain.	01483322
Fixed an issue where large scan result imports were failing by removing database locks.	01482303
Fixed a dashboard query error with the Output Assets filter.	01480528
Fixed an issue so the agentScan API returns agentGroups field information upon request. agentScan?fields=agentGroups::GET	01478230
Fixed an issue where selecting the Initiator column would not properly sort the job queue.	01474973
Fixed an issue where the Licensing Status dashboard widget appeared blank.	01471612, 01479097, 01468610, 01517641
Fixed an issue where if the diagnostic scan failed, the diagnostic scan password was not sanitized in the system log.	01470275
Fixed the backup and restore config tools to correctly backup and restore compliance plugin data. This was resolved by accounting for an offset in row IDs between the backup and restore box, particularly plugin external reference data.	01469141
Introduced the new Time filter with Created and Finished options to replace the Completion Time filter.	01467850, 01477190, 01481914, 01506659, 01466750, 01524139, 01536947
Fixed an issue where Asset bulk delete throws an error. A condition has been added to /asset/id::DELETE to verify JobLib::getIgnoreAddingNewJobsStatus(). If the Ignore adding new job option is enabled, we return the response without looking for the affected group.	01459697, 01479181, 01497531, 01523580
Fixed an issue when using the import option in IBM DB2 credentials where the client certificates entered in the Legacy CyberArk credentials screen were not retained after saving the details.	01455757
Fixed an issue where the last item in the data grid(tabulator) could not be accommodated when classification is mentioned. The issue is fixed by modifying the logic to calculate the height for the new screens appropriately to contain the classification and removing the "!important" in the css.	01451953
Fixed an issue where system logs would not scroll beyond the selected month. This was resolved by changing the design of the table. System logs are now in a paginated list, instead of an infinite scroll paradigm.	01449648, 01475247
Fixed an issue where clicking the dashboard component with Query Value: Hosts would take the user to the wrong tool in Vulnerability Analysis. The user now lands correctly on the Vulnerability List.	01449110
Fixed an issue where a query error would appear in Vulnerability Analysis after deleting a scan result. The issue was fixed by adding a check to find if the scan result exists in the system, then loading the view based on that.	01443526
Fixed an issue where the automatic refresh on the Scan Results page did not save the user's scroll position in the table,	01442405, 01507580, 01518858
Fixed an issue where a Tenable Nessus Compliance Scan import failed, despite a success message from Tenable Security Center.	01436887
Fixed an issue where dashboard components were referencing invalid queries, making users unable to edit the dashboard components.	01406788
Fixed an issue where the Owner filter on the Report Results page would show multiple instances of the same owner name.	01400225
Fixed an issue where the file /opt/sc/support/etc/SimpleSAML/config/config.php could be overwritten during a Tenable Security Center upgrade.	01385220
Reduced the time and accuracy of the List Software tool to calculate results from updates made to Plugin #22869 and Plugin #20811.	01382651

• When an admin creates a new user, the Switch User option doesn't show up immediately after creating the linked user.

• When the browser window is resized, Line Chart components will not resize appropriately to fit their respective containers.

• When zooming in on the browser, some elements in the header may no longer be visible.

• Pendo is reporting an incorrect date format in the SC productExpirationDate metadata.

• Safari SC users will see shadows of the left navigation after clicking.

• When in any Analysis view, the Analysis icon in SideNav should have a blue background with a dark blue line to the left.

• Creating a risk rule doesn't work for certain combinations for fields and repositories. For example, creating a risk rule with an IP as the identifier doesn't work for an Agent repo.

• Pagination icons should appear grayed out when they are unusable, for example, when there is only 1 page of results.

• Universal repository is not available in the Quick Setup Guide.

For more information about the API changes for this release, see the Tenable Security Center API Changelog.

Filenames and MD5 or SHA-256 checksums are located on the Tenable Security Center Downloads page.

The following table lists the Tenable product versions tested with Tenable Security Center 6.0.0.

For information about EOL dates and policies for Tenable products, see the Tenable Software Release Lifecycle Matrix and Policy.

Product	Tested Version
Tenable Nessus	8.9.0 and later
Tenable OT Security	3.9.25 and later
Tenable Log Correlation Engine	6.0.0 and later
Tenable Nessus Network Monitor	5.11.0 and later