Over the past week, we have been busy updating Acunetix to detect Log4j vulnerabilities that have been making the headlines. Acunetix is detecting the CVE-2021-44228 vulnerability (Log4Shell) as an out-of-band vulnerability using the AcuMonitor service. In addition, the AcuMonitor service and Acunetix have been updated to detect blind (delayed) Log4j RCE, where the payload might be executed after some time by a different system than the one being scanned.

The Acunetix scanner has also been updated to test custom headers. Although this update was done specifically for Log4j vulnerabilities, it will have a positive impact on the detection of other vulnerabilities too.

Below is a list of all the Log4j-related updates:

Version 14 build 14.6.211220100 for Windows, Linux, and macOS – December 20th, 2021

New vulnerability checks

  • The Apache Log4j RCE vulnerability check was updated to detect blind (delayed) instances of the vulnerability

Version 14 build 14.6.211215172 for Windows, Linux, and macOS – December 16th, 2021

New vulnerability checks

  • The Apache Log4j RCE vulnerability check was updated to detect the vulnerability in web server exceptions
  • The Apache Log4j RCE vulnerability check was updated to execute on various HTTP headers

Updates

  • Updated the scanner to test custom headers used by the web application

Version 14 build 14.6.211213163 for Windows, Linux, and macOS – December 13th, 2021

New vulnerability checks

Upgrade to the latest build

If you are already using Acunetix build 14.x, you can initiate the automatic upgrade from the new build notification in the Acunetix UI > About page.

If you are using Acunetix build 13.x or earlier, you need to download Acunetix from here. Use your Acunetix license key to download and activate your product.

SHARE THIS POST
THE AUTHOR
Nicholas Sciberras
Chief Technical Officer
As the Head of Acunetix Engineering, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams, and provided technical training.