Nexpose Console - PosgresqlDB EndOfLife

david_altanian · November 16, 2023, 2:10pm

Hello everyone
What do you think about the fact that the PostgresqlDB version 11.17 on the Nexpose console went end of life a week ago? (https://endoflife.date/postgresql)

I have already created a support case for this and apparently Rapid7 is working on an update (support case is in the development backlog).

I personally find it a bit embarrassing when we have stipulated in our internal directive that no software or software components that have gone EoL may be used, but the security tool we use operates with such a software component.

In my case, the problem is now getting worse because I run a dedicated Postgresql database to which the scan results are transferred on a daily basis. This database in turn serves as a source for my vulnerability dashboards in PowerBI.

Our IT department has now approached me and wanted to update this Postgresql server to version 15 or even better 16. Had to tell them that they would have to wait.

david_altanian · November 16, 2023, 2:12pm

And there was a similar post to this issue here: What are Rapid7's plans to deal with the End of LIfe of PostgreSQL 11?

Cyb3r · November 16, 2023, 3:28pm

++Following

@david_altanian I do not work for Rapid7, so I am unable to speak on this specific issue, but I have dealt with a similar technology in the past which had a vulnerable database version. When I brought this up with support, they informed me they use a different branch of the SQL database with certain functionality removed, which negated majority of the vulnerability findings. They also had a EOL version of PHP deployed, however, they said certain things were implemented on their end to extend the functionality and security of the software even though it was EOL. It’s really about trust and risk posture at that point.

If you hear back from support, could you share it here? I’m curious if they operate in a similar fashion.

david_altanian · November 17, 2023, 6:39am

Hi @Cyb3r
Thanks for your reply. I am not really concerned about the risk. In terms of cyber risk, I rate the use of an outdated postgresql version in our case as low. Especially as both my DB server and the Rapid7 Console are located in secure network zones. It’s more about the negative signal we send out as a security department when our security tools use outdated software components.

It also means that I can’t update my Postgresql server because there could be compatibility problems.

Anyways, as soon as I hear something new from support I will share it here.