CCI-002605

Install security-relevant software updates within an organization-defined time period of the release of the updates.

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

5 rules found Severity: Medium

1 rule found Severity: Medium

3 rules found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: High

2 rules found Severity: Medium

1 rule found Severity: High

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

3 rules found Severity: High

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: High

CCI-002605

The Adobe Acrobat Pro DC Continuous latest security-related software updates must be installed.

Adobe Reader DC must have the latest Security-related Software Updates installed.

The FortiGate device must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.

The HYCU Web UI must be configured to send log data to a central log server for forwarding alerts to the administrators and the ISSO.

The MQ Appliance messaging server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Security-relevant software updates to DB2 must be installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).

The WebSphere Application Server must apply the latest security fixes.

The WebSphere Application Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs).

The Ivanti MobileIron Core server must be maintained at a supported version.

MobileIron Sentry must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.

The installed version of Firefox must be supported.

Exchange must have the most current, approved service pack installed.

Office automatic updates must be enabled for Office products installed via Click-to-Run and configured to use a Trusted site.

Security-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Software updates to SQL Server must be tested before being applied to production systems.

Nutanix AOS must be running an operating system release that is currently supported by the vendor.

Tanium Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

The Tanium Application Server must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

The Tanium application must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

The Tanium operating system (TanOS) must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

The NSX-T Manager must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the Information System Security Officer (ISSO).

All Horizon components must be running supported versions.

Security-relevant software updates to MongoDB must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

The version of Internet Explorer running on the system must be a supported version.

Vendor-supported software must be evaluated and patched against newly found vulnerabilities.

Security-relevant software updates to PostgreSQL must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Security-relevant software updates to the EDB Postgres Advanced Server must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Tomcat server must be patched for security vulnerabilities.

Maintenance for security-related software updates for CA IDMS modules must be provided.

Security-relevant software updates to PostgreSQL must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

The Cisco switch must be running an IOS release that is currently supported by Cisco Systems.

The F5 BIG-IP appliance must generate audit records and send records to redundant central syslog servers that are separate from the appliance.

The version of Google Chrome running on the system must be a supported version.

The HPE Nimble must forward critical alerts (at a minimum) to the system administrators and the ISSO.

The WebSphere Liberty Server must install security-relevant software updates within the time period directed by an authoritative source.

The ISEC7 Sphere server must be maintained at a supported version.

The ICS must be configured to send admin log data to a redundant central log server.

The Ivanti EPMM server must be maintained at a supported version.

Sentry must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO.

Production JBoss servers must be supported by the vendor.

The JRE installed on the JBoss server must be kept up to date.

The Juniper EX switch must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).

Security-relevant software updates to MarkLogic Server must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Vulnerability scanning must be enabled for all repositories in MSR.

MKE must contain the latest updates.

MongoDB products must be a supported version.

The version of Microsoft Edge running on the system must be a supported version.

The network device must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Security-relevant software updates to the MySQL Database Server 8.0 must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

The Riverbed NetProfiler must be configured to automatically generate DOD-required audit records with sufficient information to support incident reporting to a central log server.

Security-relevant software updates to Redis Enterprise DBMS must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Automation Controller must install security-relevant software updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).

Automation Controller NGINX web servers must install security-relevant software updates within the configured time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

The TippingPoint SMS must be configured to send log data to at least two central log servers for the purpose of forwarding alerts to the administrators and the information system security officer (ISSO).

The web server must install security-relevant software updates within the configured time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

NixOS must run a supported release of the operating system.

The Apache web server must install security-relevant software updates within the configured time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

The macOS system must be a supported release.

The application server must install security-relevant software updates within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).

Security-relevant software updates and patches must be kept up to date.

The container platform registry must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.

The container platform runtime must have updates installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

AlmaLinux OS 9 must be a supported release.

Security-relevant software updates to the DBMS must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

The application must install security-relevant firmware updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Forescout must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the Information System Security Officer (ISSO).

The operating system must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

The HYCU virtual appliance must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

IBM Security zSecure system administrators must install security-relevant zSecure software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs).

The Mainframe Product must install security-relevant software updates within the time period directed by an authoritative source (e.g., IAVMs, CTOs, DTMs, and STIGs).

Security-relevant software updates to MariaDB must be installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).

Exchange must have the most current, approved Cumulative Update (CU) installed.

Exchange must have the most current, approved Cumulative Update installed.

Security-relevant software updates to SQL Server must be installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).

The configuration integrity of the container platform must be ensured and vulnerabilities policies must be configured.

Prisma Cloud Compute's Intelligence Stream must be kept up to date.

Rancher RKE2 registry must contain the latest images with most recent updates and execute within Rancher RKE2 runtime as authorized by IAVM, CTOs, DTMs, and STIGs.

OpenShift must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs.

OpenShift runtime must have updates installed within the period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs).