New
- New Microsoft Windows Server policy: We added a new Center for Internet Security (CIS) policy that provides coverage for Microsoft Windows Server 2016.
Improved
Customer Requested
- Updated PostgreSQL policy: We updated our Defense Information Systems Agency (DISA) PostgreSQL 9.x benchmark to version 2, release 1.
Fixed
- GET requests to the
/api/3/scans/{id}APIv3 endpoint for any scan ID will now contain the username of the user who started the scan in the response. - We added support for the V-3487 and V-1077 rules to all applicable Windows Servers DISA policies.
- We fixed an issue that caused Nexpose to fingerprint multiple kernels on systems, resulting in false positives.
- We fixed an issue where vulnerability investigations that were opened by since deleted user accounts would show a data retrieval error. In addition to once again being viewable, investigations like this will now indicate that the original user account was deleted.
- We fixed two issues affecting the Top Remediations with Details report:
- Instances of this report that are scoped to a particular site will no longer include assets that were deleted from the selected site. This issue originally appeared when an asset belonged to multiple sites but was only deleted from the site selected for the report's scope.
- Non-admin users who generate this report with asset group scope will now see that the Assets section of the report populates as expected. This issue originally appeared when the user's permissions were limited to asset groups only without having access to sites.
- We resolved false negatives for several Microsoft Windows vulnerabilities by updating the supersedence information for CVEs linked to updates for CVE-2020-1472.
- We updated our checks for CVE-2020-1472 to address false positives that could occur when scanning Windows Domain Controllers.