New

• Microsoft Patch Tuesday coverage: This release includes updated scan coverage for October 2020.

Improved

• More performance improvements for policy scanning: We further optimized the Scan Engine to use less memory when scanning assets for policy compliance.
• UUID support for Linux VMs in Azure: The Scan Engine can now assert the VM ID for Linux VMs in Azure as the Universally Unique Identifier (UUID) for the asset when its scan data gets integrated into the Security Console.

Fixed

• We removed a duplicate row in the fact_all_date table in the data warehouse that caused exports to write the same data twice.
• We fixed an issue that could cause a new false positive investigation to fail unnecessarily if the Scan Engine was already busy running current investigations.
• We fixed CVE-2020-7383, a SQL injection vulnerability affecting the Security Console. This vulnerability could have allowed an authenticated user with a low permission level to access resources beyond their assigned permissions. This issue affects all Security Console versions up to and including 6.6.48. Update your Security Console to the latest version (6.6.49) to remediate this vulnerability. Thanks to Mikhail Klyuchnikov of Positive Technologies for reporting this issue to Rapid7.
• The Filtered Asset Search feature in the Security Console will now evaluate underscore (_) characters as literals instead of wildcards.
• We fixed an issue in version 2.1.0 of our CIS benchmark for SUSE Linux Enterprise 12 where rule 6.1.3 was using incorrect logic.
• We fixed an issue that prevented installed software from being fingerprinted correctly on assets running AIX VIOS.
• We fixed an issue in some CIS Unix policies where certain rules were causing scans to hang.
• We fixed an issue with our fingerprinting process that could prevent certain software from being identified if the Scan Engine could not determine the software version number.
• We fixed an issue that could prevent certain Telnet endpoints from being identified correctly.