Get Started

Sites

Scan Engines

Scan Assistant

Scan Templates

Scan Credentials

Alerts and Schedules

Dynamic Discovery

Other Scanning Resources

Assess

Act

Reports

SQL Query Export

Tune

Users and Authentication

Integrations

Resources

Release Notes

Support

End-of-life Announcements

Updates required for FIPS mode users

Expected on February 5, 2025, we will be upgrading the Security Console’s existing encryption protocols to improve our security posture. As a result, Nexpose will only encrypt and re-encrypt secrets in Advanced Encryption Standard (AES).

If you are operating Nexpose in Federal Information Processing Standard (FIPS) mode, you must update to a scan engine version that supports AES before February 5, 2025 to prevent disruption to authenticated scanning. After this change is released, it is recommended that you update to the latest product and scan engine versions to ensure continued FIPS compliance.

If you previously set your protocols for SSL/TLS in com.rapid7.nexpose.nsc.sslEnabledProtocols, you must update the value for TLS to contain only versions greater than TLSv1.2. Follow the instructions in Configuring HTTPS Options.

No action is required at this time for non-FIPS mode users. For additional details, refer to the FAQ.

Before you begin

Verify that you are using FIPS mode and check which versions you currently have installed before updating the Security Console or Scan Engine.

Verify that FIPS mode is enabled

To identify that you are currently using FIPS mode, check the Security Console log files for the following messages:


 
1
FIPS 140-2 mode is enabled. Initializing crypto provider
2
Executing FIPS self tests…

Verify your current Security Console and Scan Engine versions

Ensure your versions of the Security Console and Scan Engine match.

To verify your current version of the Security Console:

From the Security Console, go to Administration > Console > Information.
The current product version for your installation of the Security Console is displayed here as well as the date and time for when it was built.
Make a note of the Version and Last product update numbers.

To verify your current version of the Scan Engine:

From the Security Console, go to Administration > Scans > Engines.
All of your added Scan Engines are listed on this page. Other relevant information like connection status, communication direction, and version information are also displayed.
Make a note of the Version and Product numbers for each scan engine in the Last Update column.

Compare the numbers you noted for the Security Console and Scan Engine. The versions for your active Scan Engines should match with the version and last product update numbers for the Security Console. If the numbers do not match, you may need to perform a manual update to avoid any issues.

Any Scan Engines on a version older than 6.6.274 will need to be updated.

Update to the latest version

If you have selected manual updates or found a misalignment with your Scan Engine versions, you may want to perform a manual update.

To update your Security Console:

Go to Administration > Console > Updates.
Click Manual Update.

To update your Scan Engine:

Go to Administration > Scans > Engines.
In the Updates column, click the Update scan engine icon for each of your Scan Engines.

You can confirm that your Security Console and Scan Engine versions now match by repeating the verification steps.

FAQ

Do I need to take action if I'm not currently using FIPS mode?

You will not need to take action prior to February 5, 2025. The cipher algorithm upgrade to AES will automatically be available to you in the targeted February 5, 2025 product update.

If you’ve enabled automatic product updates, you should not experience a disruption to authenticated scans.

Why would Scan Engines be on a different version from the Security Console?

When a product update is applied to the Security Console (either through automatic updates or manually), as long as the Scan Engine has enough storage space and can reach the Security Console, the Scan Engine should also update to the latest product version whenever it is not running a scan.

If the Scan Engine does not have a large enough window to update, the version update will not take place. For customers with small windows between scans, scan engine versions can easily fall behind the Security Console version. As a result, it is recommended to apply both Security Console and Scan Engine updates within the same maintenance window.

Are there resources available to help with this update?

For more information on manual product updates, refer to the doc sections on Manual product updates and Managing updates without an Internet connection.

Who should I contact if I have more questions?

Reach out to your CSA or Account Executive with any additional questions.

Did this page help you?

Get Started

Welcome to Nexpose