Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Vulnerability Response release notes

Log in to subscribe to topics and get notified when content changes.

Vulnerability Response release notes

ServiceNow® Vulnerability Response product enhancements and updates in the New York release.

The Vulnerability Response application in ServiceNow® Security Operations prioritizes vulnerable items and adds business context to help security experts determine whether business critical systems are at risk. Using the CMDB, Vulnerability Response can easily identify dependencies across systems and quickly assess the business impact of changes or downtime. Vulnerability Response provides a comprehensive view of all vulnerabilities affecting a given service, as well as the current state of all vulnerabilities affecting the organization.

New York upgrade information

If you are upgrading from a previous version of Vulnerability Response, the initial New York version is available immediately in your instance. All production updates to Vulnerability Response are only available in the ServiceNow® Store.
Note: This process applies only to applications downloaded to production instances. If you are downloading applications to sub-production or development instances, it is not necessary to get entitlements. Proceed to Activate a ServiceNow Store application.

If you've previously installed Vulnerability Response, you don't need to install the Vulnerability Response Dependencies (com.snc.vul_dep) plugin prior to installing the Vulnerability Response update.

If you update from Vulnerability Response v7.0 or v8.0 to Vulnerability Response v9.0, you must install all the plugins listed under Dependencies & Licensing > App Dependency in the ServiceNow Store prior to installing Vulnerability Response.

For detailed information on upgrade from Kingston or London to Vulnerability Response, see Vulnerability Response upgrade information.

New columns added to the Vulnerable Item [sn_vul_vulnerable_item] table, to support new features, can result in longer upgrade times.

Starting with Vulnerability Responsev9.0, you can ignore some configuration item (CI) classes by setting the ignoreCIClass [sn_sec_cmn.ignoreCIClass] system property. While this property is present after upgrade it does not work automatically. For upgrade instructions on how to enable this functionality, see KB0788209.

Integration upgrade information
  • Rapid7 Vulnerability Integration

    Version 9.0.6: Before you upgrade, ensure each of the CI Lookup Rules is Order values is unique. If there are CI Lookup Rules with the same Order value, they may not upgrade correctly. After upgrade, the Rapid7 InsightVM lookup rules are assigned new Order values. Rapid7 Data Warehouse Order values remain the same. See KB0786526 for more information.

    Version 9.0: If the Create CVE entry check box in the configuration page was cleared in an earlier version, the system property, sn_vul_r7.create_cve_for_vulnerabilities is set to true upon upgrade. Vulnerability Response features such as exploits, solutions, and so on, rely on the import of CVEs and do not work effectively without them.

    Version 9.0: If you have customized CI Lookup Rules for Rapid7 InsightVM in a previous version, you need to redo them in version 9.0. CI Lookup Rules for Rapid7 InsightVM are not carried forward during upgrade. See KB0786526 for information on updating the rules.

    Prior to London v6.2 or Kingston v5.1, the Rapid7 Vulnerability Integration used an identifier from the Rapid7 Nexpose data warehouse that was not unique across multiple data warehouses. Starting with London v6.2 and Kingston v5.1, the nexpose_id, which is globally consistent, replaced it.

    If you have an existing Rapid7 Vulnerability Integration version earlier than London v6.2 or Kingston v5.1, and you upgrade to the latest Rapid7 Vulnerability Integration version, you may get an "Import relies on nexpose_id" error. In that case, update the SQL query sent to your Rapid7 Nexpose data warehouse with the nexpose_id. Without it, various features of Vulnerability Response and Rapid7 Vulnerability Integration will not work properly. See KB0751331 to add the nexpose_id to the SQL import query.
    Note: This condition is true for a Rapid7 Nexpose data warehouse upgrade or to migrate from the Rapid7 Nexpose data warehouse to Rapid7 InsightVM.
  • Qualys Vulnerability Integration

    Version 9.0: Upon upgrade from any existing Qualys Vulnerability Integration, the new Host List integration automatically enables a Qualys instance if the existing Host List Detection integration is also enabled for that instance.

New in the New York release

Features available from the ServiceNow Store:
Enhanced Change management for Vulnerability Response
Version 9.0: Create change requests directly from vulnerability groups with ServiceNow® Change Management for Vulnerability Response to expedite your remediation of vulnerabilities. This feature tightly integrates Vulnerability Response and ServiceNow®ITSM Change Management and provides customers with the following capabilities:
  • Create pre-populated change requests of varying types (emergency, standard, or normal).
  • Associate vulnerability groups to existing change requests.
  • Split large vulnerability groups into manageable chunks.
  • Resolve vulnerability groups automatically after change requests are implemented using automated state synchronization.
Software exposure assessment using Software Asset Management (SAM)
Version 9.0: With the Exposure Assessment module, determine your exposure to a specific software package by looking up the publisher, product name, and version number in the ServiceNow Software Asset Management (SAM) product. As an option, create vulnerable items to remediate vulnerabilities.
Vulnerability Solution Management
Version 8.0: Automatically correlate the vulnerabilities in your environment with the solutions that would remediate them. Identify the remediation actions that apply to your environment and prioritize them by the greatest reduction in vulnerability risk. Available as a separate subscription within Vulnerability Response, Vulnerability Solution Management contains solution integrations such as the Microsoft Security Response Center Solution Integration.

Preferred Solutions in vulnerability, vulnerable item, and vulnerability group records are derived from the Microsoft Security Response Center Solution Integration imports and not third-party vulnerability integrations.

Common Vulnerability Exposure (CVE) vulnerabilities with long summaries can cause excessive cell heights in the vulnerability list view on solution records.

Risk Score calculator enhancements
Version 8.0: Configure your calculators with finer granularity. For example, you can incorporate vulnerability severity, exploit and asset information. These calculators provide consistent risk scores across all vulnerable items so you can effectively prioritize the vulnerabilities in your environment.

The Default Risk Calculator and Vulnerability Severity calculators are shipped with the base system.

Vulnerability Calculators have replaced Vulnerability Calculator Groups for calculating the base Risk Score.

for remediation specialistsRemediation Owner Role for remediation specialists for remediation specialists
Version 8.0: Automatically receive access to vulnerability entries and solutions assigned to you or your group using the sn_vul.remediation_owner role. By default, the itil role contains the sn_vul.remediation_owner role.
Mobile experience for Vulnerability Response with the mobile app
Version 8.0: Access the VR application on your Now Platform instance directly from your mobile device with the Vulnerability Response mobile app.
  • View vulnerability groups. You can view and update your vulnerability groups to drive the vulnerability group through its remediation process.
  • Notifications: You can set up your mobile device to receive notifications about your most current business-critical vulnerability items. You can view and edit the related vulnerability group assigned to you or your team directly from the notification.
New in existing integrations
Rapid7 Vulnerability Integration

Version 9.0: Manually create sites for the Rapid7 InsightVM Vulnerability Integration to use with filtering within Vulnerability Response.

Version 9.0:Rapid7 InsightVM Multi-source support enables you to integrate multiple Rapid7 InsightVM deployments into a single instance of Vulnerability Response. Assets identified by multiple Rapid7 InsightVM deployments and their vulnerabilities are consolidated and reconciled with your CMDB. This consolidation happens even when scan processes overlap between the multiple deployments.

Version 9.0: Rapid7 InsightVM Asset List Integration retrieves host scan data once a week from all assets and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned lately.

Version 9.0: Host Tags from Rapid7 InsightVM become available for use in the Condition builder of Assignment Rules in Vulnerability Response. For example in Assignment Rules, Remediation Target Rules and so on.

Version 9.0: Filter using Rapid7 Sites and CVSS data.
Note: Rapid7 has a volume limitation on the use of the Site filter. If total assets are 10,000 or more, it sends a 500 internal server error. Rapid7 is tracking the issue under support ticket EA-3945.
Qualys Vulnerability Integration

Version 9.0: Qualys Host List integration retrieves authenticated and unauthenticated host scan data from Qualys once a week and stores it in the Discovered Items module in your instance. Helps identify assets that haven't been scanned recently using Last Scan date. View the Last Scan time and Last Authenticated Scan time on the Discovered Items list.

Version 9.0: Populates Preferred Solution for vulnerable items with the same Preferred Solution as its vulnerability.

Tenable for Vulnerability Response v2.x

Prioritize and automate the remediation of critical vulnerabilities. Tenable for Vulnerability Responsev2.x applications offer increased performance speed of importing vulnerabilities. These applications also bring in the Vulnerability Priority Rating (VPR) score into ServiceNow.

  • When Tenable for Vulnerability Response v2.x vulnerabilities are imported before their corresponding National Vulnerability Database (NVD) entries, those vulnerabilities are not associated with the NVD vulnerabilities later. Ensure that NVD imports are up to date, and periodically reimport the Tenable for Vulnerability Responsev2.x vulnerabilities.

  • Tenable for Vulnerability Responsev2.x doesn't currently support Normalized severity.
  • Tenable for Vulnerability Responsev2.x populates exploit information in the Tenable for Vulnerability Response Additional Findings fields.
New integrations
Microsoft Security Response Center Solution Integration

Version 8.0:Microsoft Security Response Center Solution Integration imports solution data for known vulnerabilities and creates relationships with vulnerable items and vulnerability groups. This integration is part of Vulnerability Solution Management.

Quick start tests for Vulnerability Response
Version 8.0: Validate the continued functionality of Vulnerability Response after any configuration change such as an upgrade or after developing an application. All test suites and tests should pass on a default implementation. To validate a custom implementation, copy the automated tests and configure them for your customizations.

Changed in this release

NVD JSON integration
Version 8.0: To support the anticipated switch from XML to JSON by the National Vulnerabilities Database (NVD), NVD data feeds have been updated to use JSON.
Note: By default, all data feeds for NVD Auto-update are disabled. To enable the feeds that you want, see Configure the scheduled job for updating NVD records.
Configuration additions to Setup Assistant

Version 8.0: Added configuration for Assignment Rules and Microsoft Security Response Center configuration for Vulnerability Solution Management within SetupAssistant.

CI Lookup Rule used for the CI appears on Discovered Item records
Version 8.0: Added the CI matching rule field to the Discovered Items form to make it easier to identify potential matching issues.
Integration changes

Version 9.0: The template integration can no longer be deleted. Disable it instead.

Removed in this release

Version 9.0: The Configure SAM NVD and Vulnerable Software modules have been removed due to dependent content from the National Vulnerability Database (NVD) that is no longer available.

Version 9.0: Create CVE entry check box in the Rapid7 Vulnerability Integration configuration page. CVEs, not already present, are created as NVD records and referenced in the third-party entry for Rapid7, by default.

Version 8.0: Vulnerability Calculator Groups have been renamed Vulnerability Calculators and the group module no longer exists.

Activation information

Activate the Vulnerability Response Dependencies plugin (com.snc.vul_dep). Download and install Vulnerability Response from the ServiceNow Store and configure this application based on the needs of your organization using Setup Assistant. This application is available as a separate subscription.

Related ServiceNow applications and features