Over the past week, we have been busy updating Acunetix to detect Log4j vulnerabilities that have been making the headlines. Acunetix is detecting the CVE-2021-44228 vulnerability (Log4Shell) as an out-of-band vulnerability using the AcuMonitor service. In addition, the AcuMonitor service and Acunetix have been updated to detect blind (delayed) Log4j RCE, where the payload might be executed after some time by a different system than the one being scanned.
The Acunetix scanner has also been updated to test custom headers. Although this update was done specifically for Log4j vulnerabilities, it will have a positive impact on the detection of other vulnerabilities too.
Below is a list of all the Log4j-related updates:
Version 14 build 14.6.211220100 for Windows, Linux, and macOS – December 20th, 2021
New vulnerability checks
- The Apache Log4j RCE vulnerability check was updated to detect blind (delayed) instances of the vulnerability
Version 14 build 14.6.211215172 for Windows, Linux, and macOS – December 16th, 2021
New vulnerability checks
- The Apache Log4j RCE vulnerability check was updated to detect the vulnerability in web server exceptions
- The Apache Log4j RCE vulnerability check was updated to execute on various HTTP headers
Updates
- Updated the scanner to test custom headers used by the web application
Version 14 build 14.6.211213163 for Windows, Linux, and macOS – December 13th, 2021
New vulnerability checks
- New check for Apache Log4j RCE (CVE-2021-44228)
Upgrade to the latest build
If you are already using Acunetix build 14.x, you can initiate the automatic upgrade from the new build notification in the Acunetix UI > About page.
If you are using Acunetix build 13.x or earlier, you need to download Acunetix from here. Use your Acunetix license key to download and activate your product.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Principal Program Manager
