Tenable.sc Patch 202103.1 Release Notes (2021-03-15)

Tip: Tenable rebranded SecurityCenter as Tenable.sc. For more information, see the announcement.

Note: This release includes a fix for a potential vulnerability. For more information, see the Tenable Product Security Advisory.

Apply this patch to Tenable.sc installations running version 5.13.0 through 5.17.0.

This patch fixes a high risk Remote Code Execution vulnerability that allows an authenticated user to escalate privileges and gives them access to higher levels than intended within the Tenable.sc console. The vulnerability exploits the Tenable.sc server via Hypertext Preprocessor (PHP) unserialization.

This patch also fixes an issue that prevented Tenable.sc from sending emails for Alerts.

Note: This patch supersedes Tenable.sc Patch 202102.1. Apply this patch to affected Tenable.sc versions, even if you already applied Tenable.sc Patch 202102.1.

Steps to Apply

Apply the patch to a standalone Tenable.sc or Tenable Core + Tenable.sc:

  1. Download the patch from https://www.tenable.com/downloads/tenable-sc to Tenable.sc. You can save the files in any location (e.g., /tmp).
  2. Access the command line as a user with root-level permissions.

  3. Run the following command to untar the patch file:

    tar zxf SC-202103.1-5.x.tgz

  4. Run the following command to change the directory to the extracted directory:

    cd directory

  5. Run the following command to begin the installation:

    sh ./install.sh

    The installation runs and finishes.

What to do next:

  • (Optional) Confirm the patch successfully applied to Tenable.sc, as described in the knowledge base article.

Contents

  • install.sh

  • unserializePatch.php

  • SerializeLib.php

  • 5.13.0/AuthenticationLib.php

  • 5.13.0/ConfigurationLib.php

  • 5.14.0/AuthenticationLib.php

  • 5.14.0/ConfigurationLib.php

  • 5.14.1/AuthenticationLib.php

  • 5.14.1/ConfigurationLib.php

  • 5.14.1.1/AuthenticationLib.php

  • 5.14.1.1/ConfigurationLib.php

  • 5.15.0/AuthenticationLib.php

  • 5.15.0/ConfigurationLib.php

  • 5.16.0/AuthenticationLib.php

  • 5.16.0/ConfigurationLib.php

  • 5.16.0/importLCEVulns.php

  • 5.16.0/importPVS.php

  • 5.16.0/System.php

  • 5.16.1/AuthenticationLib.php

  • 5.16.1/ConfigurationLib.php

  • 5.16.1/importLCEVulns.php

  • 5.16.1/importPVS.php

  • 5.16.1/System.php

  • 5.17.0/AuthenticationLib.php

  • 5.17.0/ConfigurationLib.php

  • 5.17.0/importLCEVulns.php

  • 5.17.0/importPVS.php

  • 5.17.0/System.php

Filenames and Checksums

Filenames and MD5 or SHA-256 checksums are located on the Tenable.sc Downloads page.