Frontline Vulnerability Management (Fortra VM)
February 2024
Version 7.0.0.0
February 28, 2024
New Features
- This version of Fortra Vulnerability Management, formerly Frontline Vulnerability Manager, introduces new Fortra VM branding and integration with Fortra's platform.
- Users will soon have access to Fortra IdP to simplify login, Fortra Support Portal access to support ticket submission and tracking, along with knowledge base articles and FAQs.
- Frontline VM users will be seamlessly transitioned to Fortra VM over the coming months with the opportunity to opt-in to Fortra's platform with native SSO version once eligible.
Enhancements
- Branding alignment:
- Removed 'Frontine' verbiage throughout UI and reports
- Theme changes for branding alignment
- PCI Self Service:
- CVSS Score of 4.0 assigned to auto-fail vulns with no associated CVE-ID.
- Changed "3b note" to "Special Note (3b)"
- Limited SSL/TLS auto-fails to a list of known vulnerabilities
- Updated agent documentation on help site
- Improvements added to vulnerability dictionary (additional information and filters)
- Added support for switching account via API request
- Allowed nested General accounts
- Allowed entry of multiple phone numbers in a theme
- Report auto-scaling for improved report generation speed / capacity
- Account level settings to manage Fortra IdP eligibility and active status
Fixes
- File upload requests redirect to login in platform
- Build Report in Active View errors and fails to show dialog box
January 2024
Version 6.5.9.0
January 6, 2024
New Features
- Support for 'ephemeral' vulnerabilities.
Enhancements
- PCI Self Service:
- List vulnerabilities by all CVE-IDs in part 3a of the ASV Scan Summary.
- Add verbiage for auto-failures per ASV Program Guide 4.0r2.
- Ensure "Special Notes" align with ASV Program Guide 4.0r2.
- Delay report server shutdown until all current reports have completed.
- Support physical devices for RNA Conversion pipeline.
Fixes
- PCI Self Service:
- Passing and Failed vulns are mixed when sorting by severity.
- Components for 3b notes are maintained and displayed when not required.
- ASV Scan Vulnerability Details report is consolidating vulnerabilities that are not the same.
- ASV Scan Report Summary's Exceptions column needs to be on the same row as corresponding columns.
- Correct the Agents CSV Export report errors.
- Japanese translation error in Appendix D False Positive statement.
- Scan Groups "+ Add Scan" disabled in WAS App when "Auto Generate WAS Scans" is enabled.
- Custom path manually added pagevulns not carried forward in AV.
- Shared user role not available to use for new accounts created in nested account tree.
- WAS Scan Template Tuning Policies always shows default policy.
December 2023
Version 6.5.8.1
December 18, 2023
Enhancements
- This version of Frontline Vulnerability Manager introduces various bug fixes and enhancements to improve overall usability and quality.
Fixes
- PCI Self Service:
- PCI Compliance report failing with accepted dispute for WAS URL Redirection vulnerability.
- PCI Compliance report not displaying ad-hoc hostname targets.
August 2023
Version 6.5.6.0
August 30, 2023
New Features
- This version of Frontline Web Application Scanner introduces several enhancements for the PCI Self Service feature
- Initial Support for RNA Upgrade Pipeline to Install Ubuntu 20.04
Enhancements
- PCI Self Service:
- Scan Groups now support dynamic auto-creation of WAS scans from VM scans that detect webservers
- Support file attachments for PCI Disputes
- Support assignment of PCI disputes to selected PCI analyst
- System generated WAS Audit policy created for PCI Compliance Scans
- Enforce PCI workflow parameters in scans created for Scan Groups with applied settings
- New notifications added to ensure assigned PCI analyst is notified whenever a dispute comment is made
- New PCI Vulnerabilities CSV Export report
- Generate PCI Compliance Reports sections as reports and ZIP
Fixes
- PCI Self Service:
- Disable ability to dispute on scans older than 90 days
- Revert to original vuln status when disputes sent back to pending
- Revert status (Pass or Fail) on expired disputes when rescanned
- Set dispute expiration to end of quarter
- Prevent PCI Compliance Report for only WAS scans
- Correctly note WAS webapps not found during scan in section 4c of PCI Compliance Report
- PCI Compliance Report Scan Summary part 3b needs to show most recent note
- Scan Groups:
- New Scan Group button forwards to link with query information on url
- Sorting by "Next Period Start" sort does not sort correctly
- Intermittent failures recrypting scanner credentials
- Scans attempting to launch on artificial RNAs error out immediately
July 2023
Version 6.5.5.2
July 7, 2023
Enhancements
- One-Time Scans: Add OTS configuration for IBM i DDM Service Unauthenticated RCE One-Time Scan
Fixes
- One-Time Scans: Updated verbiage for consistency and grammatical correctness
- PCI Self-Service: Fix the incorrectly filtered global view of the PCI dispute list
- Multi-scan reports potentially error from setting value on incorrect field
May 2023
Version 6.5.4.1
May 31, 2023
Fixes
- PCI Compliance Reports marked incorrectly as "Failing"
Version 6.5.4.0
May 31, 2023
New Features
- Linux Agent Support
Enhancements
- PCI Self Service: Update our PCI ASV number and POC in PCI Compliance Report
- PCI Self Service: Support PCI reporting on undetected hosts
- Add "status" support for completed Scan Group runs to Scan Group Template controller / page
Fixes
- Update package dependency versions
- Fix max CVSS scores displayed in the Vulnerability Dictionary
- Miscellaneous filters
- WAS vuln assessment workflow unavailable on accounts with on the Web Application Scanning subscription
- Console Error when resetting password
April 2023
Version 6.5.2.5
April 7, 2023
Enhancements
- Internal improvements for tracking metrics and maintaining stability in Frontline.
Version 6.5.2.4
April 3, 2023
Enhancements
- Internal improvements for tracking metrics and maintaining stability in Frontline.
March 2023
Version 6.5.2.3
March 17, 2023
Enhancements
- Allow scoping PCI multi-scan reports by specific quarters as windows to query selectable scans.
Fixes
- Fix asset matching functions in multi-scan reports and provide report option to opt-out.
- Dates displayed in the interface are not reflecting DST timezone offset.
- Japanese translated report cover page displays broken HTML.
- Theme files on report generating task workers aren't always in sync as expected.
- Business groups incorrectly being associated to AV hosts outside of AV window on insert.
Version 6.5.2.2
March 3, 2023
Enhancements
- Japanese exception list for translation service.
- Allow the instant translation service to handle HTML document.
Fixes
- Themed reports are not working; consistently falling back to the default theme.
- Theme data cannot be viewed in the UI.
- PCI Self Service: All items from WAS scan not showing up in PCI compliance report using multi scan.
- PCI Self Service: 3B items that are changed are not showing the most recent entry in compliance reports.
- Multi-process functions from stats gerneation are exceeding task worker resource capacities.
- Hide PCI / PT workflows in WAS when no sub.
- Add 'Max webapp count' field to 'Web Application PCI Compliance Scanning'.
- Restricted accounts display partial menus when engaged by Global Admin.
- Partial scan results are no longer displayed when a WAS scan is errored.
- Console error opening Scanner Profile detail page.
- WAPT Subscription - icon missing and moved to bottom of list.
- Incorrect resource ACL inheritance from Business Groups of Scan Source.
- Scanner-side update to set WAS scan blocks to 'completed' are causing scans to complete without reconciling.
- VM insert error from saving JSON object with null byte value in it.
February 2023
Version 6.5.2.1
February 22, 2023
New Features
- This version include Windows 11 CIS Benchmark checks.
Enhancements
- Improve scan execution efficiency in SPARKS.
- Add PCI workflow backend support to WAS.
- Create dedicated app server type for external users.
- Add AWS instant translation to translation service.
- PCI Self Service: Create a CRON to remove old validated disputed_accepted vulns.
- Create new WAS Tuning Policy for PCI.
- PCI Disputes should trigger notifications to analysts.
- Improve logging in the RNA activation controller.
- Use caching to improve account ownership functions.
- PCI Self Service: Add ability in PCI tabs to remove a dispute.
- PCI Self Service: When an official report is created and sent in review all PCI analysts are notified.
- PCI Self Service: Add sorting/filtering for 3B notes.
- Enable Windows 11 CIS reports in Frontline.
- Create standard PCI WAS scanning policy.
Fixes
- Performance fixes for stats generation.
- Fix PCI Tab default sorting.
- Fix Recurring Reports that run on different days. Only the most recent report appears to be available.
- Creating multi-scan VM / WAS Compliance Report includes All Active View.
- Trigger reconciliation of WAS scan where scan is marked completed, but has not reconciled.
- PCI Self Service: PCI dispute page not displaying UI control for individual line items.
- PCI Self Service: UI elements to Accept or Reject a PCI Dispute are present for a MSP Global Admin.
- PCI Self Service: PCI Scans Show Analysis tab when managed workflow is not being used.
- PCI Self Service: When hostname scanning the IP Address that the hostname is being resolved to is brought forth when attesting.
- Fix VM scan results PCI tab to allow re-dispute.
- Show Customer svope in PCI Attestation.
- VM scan links have a value appended to them.
- Spelling error in WAS > PCI tab > Dispute button.
January 2023
Version 6.5.1.9
January 27, 2023
Enhancements
- Added a new command in RNA utils to grab scan status from RNAs.
Fixes
- PCI Self Service: Reports - Assets with different IPs and same DNS Name is not being reported.
- Error generating Language localization Reports with size that exceeds the limit.
- Creating new Business Groups will not allow assigning Group Members.
December 2022
Version 6.5.1.5
December 22, 2022
Enhancements
- PCI Self Service: Send notifications on disputed approved/denied.
- PCI Self Service: Provide a way to override PCI Vulnerability instances.
- PCI Self Service: Hide PCI related notes from Vuln instance expanded row on Results vulns tab.
- PCI Self Service: Unhide override pass tools.
- PCI Self Service: Add filter for 3B/disputes.
- PCI Self Service: Use Hostname from Scan Template in reports for VM Scans.
Fixes
-
PCI Self Service: If a vulnerability is discovered on both a VM and WAS scan, the PCI Compliance report incorrectly puts the WAS dispute note on the VM vulnerabiliy.
-
PCI Self Service: Dispute Page - Scan Type is blank for VM and WAS vulnerabilities.
-
PCI Self Service: PCI Compliance report formatting issue.
-
PCI Self Service: No report data source displayed for PCI Compliance Reports.
-
PCI Self Service: Hide PCI tab in Container and Agent Scans.
-
PCI Self Service: Additional PCI dispute comments are not showing on Dispute Management Page.
-
PCI Self Service: PCI Dispute Page does not show override value.
-
PCI Self Service: Hide Update PCI Value button unless permission is granted.
-
PCI Self Service: Require 3B Documentation value always set to off when editing vuln dictionary.
-
PCI Self Service: Part 3 Component Compliance summary can fail to list some passing components.
Version 6.5.1.4
December 17, 2022
Enhancements
- PCI Self Service: Add additional infromation for WAS in vuln details in the Vulnerability details section of the PCI Compliance Report.
- PCI Self Service: Add out-of-scope items in the PCI Compliance Report.
- PCI Self Service: Users should be able to re-dispute a culn where previous dispute is rejected.
- PCI Self Service: Provide a way to allow customers to enter Out-of-Scope Components.
- PCI Self Service: Provide a way to override PCI Vulnerability Instances.
- PCI Self Service: Make PCI Component editable in vulndictionary.
- PCI Self Service: PCI Reports available on WAS new scan template.
- PCI Self Service: Remove attestation for uncertified PCI Compliance Report.
Fixes
-
PCI Self Service: Include the IPs that were added in the additional required pop-up for Part 4A in PCI Compliance Report.
-
PCI Self Service: Error attempting to add a 3B note as a client account admin.
-
PCI Self Service: Error attempting to Dispute a WAS Vuln.
-
Fix Vuln dictionary CVSSv2 and CVSSv3 incorrect info.
-
PCI Self Service: Error attempting to add a comment to a disputed vuln that had a comment deleted.
-
PCI Self Service: Client cannot re-dispute vulns with rejected vuln disputes.
-
PCI Self Service: Filter PCI Compliance report out of Report template list when an Agent or Container scan is selected as the scan source.
-
PCI Self Service: Add additional information requested for section A4 and Part 3B.
-
PCI Self Service: Remove dispute modal display button that reads 'Dispute'.
Version 6.5.1.3
December 14, 2022
Enhancements
- PCI Self Service: Add option to send to the official certification workflow.
- PCI Self Service: Removed Unofficial from PCI Reports.
- PCI Self Service: Add more WAS details in our PCI Compliance Report.
- PCI Self Service: Add new permission for PCI Analyst.
- PCI Self Service: Allow users to move a pending Dispute back to Undisputed.
- PCI Self Service: Support scan name filtering on /disputedvulns endpoint.
- PCI Self Service: Add controls for analyst override of PCI values.
- PCI Self Service: Add PCI Required Remediation report to multi-scans.
- PCI Self Service: Add Attestation date to A4 of the Attestation of Compliance in PCI Compliance Report.
- PCI Self Service: Update report "Officially certified" toggle to use Modal
Fixes
-
PCI Self Service: Unable to dispute a vulnerability as a client account admin.
-
PCI Self Service: Report erroring on hidden dictionary entries.
-
PCI Self Service: Include Resolved toggle does not display as active or not until page refreshed.
-
PCI Self Service: Electing to dispute multiple VM scan vulnerabilities fails - no vulns displayed as being Disputed.
Version 6.5.1.2
December 10, 2022
Enhancements
- PCI Self Service: Capture analyst overrides for various PCI items
- PCI Self Service: Allow MSPs to view Disputed List Page
- PCI Self Service: PCI Tab add 3B note status badge in PCI Tab
- PCI Self Service: Add PCI assessment administration permissions
- PCI Self Service: Add link to PCI Disputes page
- PCI Self Service: Show 3B notes on vuln row in Scan Results tabs
Fixes
- PCI Self Service: Accepted vulns still showing as Failing in PCI Reports
- PCI Self Service: PCI Compliance reports errors with multiple accounts
June 2022
Version 6.4.4.0
June 11, 2022
New Features
- Edge Network support increases the scalability and responsiveness of our scanning communication network.
- Implementation of Business Groups.
- Reports enhancements with support for scheduled and emailed reports.
- Added a Global Vulnerability Search for MSP accounts.
Enhancements
- Business Group Column in active view display (Ticket 18151).
- Auth Scan Config: Add a "Test Your Config" button (Ticket 20422).
-
Dynamic Labels used as Rules for Business Groups (Ticket 18019).
-
Preserve access to historical scans / reports after Business Group access levels change (Ticket 20046).
-
Report Scheduler (Ticket 17363 and 1456).
-
Vulnerability Age Report (Ticket 17601).
-
Added the ability to save report filters for future use (Ticket 19099 and 1457).
-
Included an Authenticated Creds Test button (Ticket 19473).
-
Enterprise Admin Group able to view other groups dashboard (Ticket 19635).
-
Custom Report Templates - Data Filters (Ticket 20275).
-
Change how we manage IP restrictions for Business Groups (Ticket 22207).
-
Custom email lists for scanning notifications (Ticket 22633).
-
Added the ability to enable recurring reports (Ticket 23319).
-
Made Scan Description variable visible in UI (Ticket 23827).
-
Fulfilled request for NVD Reporting Functionality (Ticket 24517).
-
Choose what reports automatically generate after a scan (Ticket 24885).
-
Sending reports (Ticket 25073).
-
Added Business Group column to Scanners page (Ticket 18553).
-
Added support for a Microsoft patches only report (Ticket 1831).
-
Auth Scan / Credential PDF Detailed Status Report (Ticket 1094).
-
Add support for emailing reports to users (Ticket 1514).
Fixes
-
Fixed subject for some automated emails to match email content (Ticket 25212).
-
Updating Business Group shows IPs as not associated to Scanner Profile (Ticket 24695).
-
Email headers do not match email content (Ticket 25212 and 25289).
-
Graphs & Trending - "Asset Rating Counts" not displayed in DDI Asset Rating colors (Ticket 658).
-
Asset Rating not viewable with NVD/PCI (Ticket 1072).
-
Executive Summary Report does not respect NVD/PCI options (Ticket 1082).
-
Input fields for AV Window Size and SLA Days are active (Ticket 1323).
-
AV Summary incorrectly processes non-default options (Ticket 1369).
-
CIS CSV Export defaulting to PDF format (Ticket 1486).
-
Several filters have multiple entries in the Vuln Dictionary and Vuln Trend filter sets (Ticket 1502).
-
Clicking on 'Vuln Definition' on scan results causes loading the accounts page removes the active context and takes to the account page (Ticket 1548).
-
Vulnerabilities have multiple unique instances in agent scans (Ticket 1658).
-
Spelling error in DB/OS Tooltip (Ticket 1725).
-
Unable to delete manually added labels to Assets (or Vulnerabilities) (Ticket 1822).
April 2022
Version 6.4.3.4
April 22, 2022
Fixes
- Fix incorrect vulnerability count when using asset labels.
March 2022
Version 6.4.3.3
March 2, 2022
Fixes
- Increase logs disk size to 180Gb.
January 2022
Version 6.4.3.2
January 26, 2022
Enhancements
- Moved additional logs into Loki logging subsystem for Frontline.Cloud.
Fixes
- Corrected failure of some cases related to deleted user roles in Managed Account Users CSV Export.
- Fixed the automatic spin down of Trial accounts on TryFrotnline.Cloud shortly after creation.
- Fixed missing owner filed in CSV export of Managed Accounts Security GPAs.
- Fixed spelling error in "Approved management access request user" filter.
- Removed Test Credentials button from Credential management pages.
Version 6.4.3.1
January 19, 2022
Fixes
- Fixed Asset and Scanner Profile IP address "is (or)" and "is not (or)" filtering that did not work properly.
- Multiple fixes to Frontline TAP threat intelligence feed processing for Threat Rank.
- Frontline.Cloud infrastructure fixes related to expiring certificates.
Version 6.4.3.0
January 12, 2022
New Features
-
Introduced comprehensive authenticated scan status and credential validity management.
-
See the success or failure of authenticated scans at all levels of scan results and reports.
-
Identify which credentials were used in each scan and if they are valid or not.
-
-
Added a comprehensive suite of management reports targeted specifically for MSPs.
-
Includes CSV reports, PDF reports and email alerts.
-
Manage customer base and understand usage and trends.
-
Enhancements
-
Added ability to search for vulnerabilities by authentication method (Bug 25256).
-
Added ability to supply custom trending intervals for reports (Bug 20480).
-
Added delay-time-period before automatically spinning down Trial accounts (Bug 25048).
-
Added support to filter scan results by a list of CVEs (Bug 23333).
-
Changed default RNA Access Request time to be 8 hours.
-
Deprecated Oracle Image Virtual RNA download.
-
Included authenticated scan status within reports (Bug 24978).
-
Introduced Asset Rating Trends Report.
-
Introduced SSL Certificates Report.
-
Introduced report review workflow into Frontline.Cloud (Bug 20672).
-
Introduced scoped credentials for authenticated scanning (Bug 24886).
-
Allow Trial account options to be set during Trial account creation.
-
Removed per-account limits for Virtual RNA appliance tokens.
-
Replaced Digital Defense, Inc with Digital Defense by HelpSystems.
-
Display authentication detect method on-hover for vulnerabilities (Bug 23369).
-
Improved support for NVD / PCI rating schemes within Frontline.Cloud (Bug 23934, 25071)
-
Introduced suite of MSP / Super account management reports (Bug 24793, 20040, 20517)
-
Replaced logo with favicon for themes list.
-
Implemented various infrastructure improvements and security updates.
Fixes
-
Removed rounding for Active Risk Score in some locations within Frontline UI and reports.
-
Fixed the incorrect inclusion of tag with Container scanning license when calculating usage.
-
Fixed Core Impact scan exports that could not be filtered by date range.
-
Corrected the mistake allowing the Credential PGP cipher text.
-
Fixed dysfunctional filtering on Frontline Agent list page.
-
Fixed IP Address filter that did not properly respect quoted search terms (Bug 25297).
-
Fixed slow speed on Manage RNAs list page.
-
Broken links to help pages on new account dashboard are resolved (Bug 24931)
-
Fixed performance for statistics object management.
-
Corrected body text on RNA Access Approved email.
-
Populated data in reports based on container scans.
-
Fixed error in scan insertion when ping-type is not defined (Bug 25011)
-
Fixed report options that are not displayed in the report's options appendix.
-
Updated super account usage metrics in instances of error.
-
Allowed additional groupings for Threat Landscape reports.
-
Corrected inability to upgrade Trial accounts to General accounts (Bug 25253, 25060).
-
Fixed various bugs for reports including grammar, spelling, and style fixes.
-
Fixed Virtual RNAs that could not be downloaded on TryFrontline.Cloud due to trade.gov API changes (Bug 25299).