Acunetix 更新紀錄

v15.5.230406089 – 11 April 2023

Fixes

• Fixed scanner crash.

v15.5.230326230 – 28 March 2023

New feature

• .NET Core AcuSensor now supports installing on Linux. Note: When upgrading, please use the new .NET IAST AcuSensor Installation Instructions.

Security checks

• Improved the Server-side prototype pollution check.
• Updated the WordPress plugin vulnerabilities.
• Updated the software composition analysis database.

Improvements

• Added sitemap parser to better handle the sitemap files.
• Improved the user interface to remove the hyperlink for websites that users do not have permission to.
• Improved scanner to identify XSS in forms where these forms are protected with a CSRF token that is changing each time the page is refreshed.
• Increased limit for data exchanged between IAST AcuSensors and the Acunetix engine.
• Improved the token validator for new Jira tokens.

Fixes

• Fixed the OpenVAS service on Acunetix Premium Online to avoid the scan queue.
• Fixed bug causing some vulnerability checks to not execute on scans which are paused and resumed.
• Fixed issue with the request header limit for Github/Gitlab issue trackers.
• Fixed the issue of sending issues to Bugzilla.
• Fixed the bug that threw an internal server exception when a system admin tries to add a new user.
• Fixed the UI bug that appeared when the target is network.
• Fixed the issue that rejected locations and schemes are still being scanned.
• Fixed the issue with the corrupted links that are sent via email after the scan.
• Fixed the password reset issue.
• Fixed possible false positive misconfiguration “ASP.NET expired session IDs are not regenerated”

v15.4.230302096 – 3 March 2023

New security checks

• New security check for Fortinet RCE (CVE-2022-39952).

v15.4.230222085 – 23 Feb 2023

New features

• Improved the default roles.

New security checks

• Updated the WordPress plugin vulnerabilities.
• Updated the software composition analysis database.
• New security check for detection of ASP.NET core in the development mode.
• Added various checks for Content Security Policy misconfiguration.
• New security check for Oracle Web Applications Desktop Integrator unauthenticated takeover. (CVE-2022-21587)
• New security check for Deserialization RCE vulnerability in Oracle Access Manager OpenSSO Agent. (CVE-2021-35587)
• Updated the file extensions and parameter exclusions.
• New security check for F5 BIG-IP Cookie Remote Information Disclosure.
• New security check detecting retired hash functions usage in SAML.
• Improved the SQL injection check to identify whether the database user has admin privileges.

Improvements

• Added the Heuristic server-side routing detection to optimize attacks.
• Updated the embedded Chromium browser to v109.0.5414.119.
• Added the company name field to the registration process to Acunetix.
• Updated the issue tracker integrations to show the link to the relevant ticket created in those issue trackers.
• Updated the DISA STIG report to version 5.2.
• Improved the CSV importing link to limit the target limit to 500.
• Improved the scanner engine to reduce the memory footprint.
• Improved the .NET IAST sensor to mask any password.

Fixes

• Fixed the pagination bug on the Targets page.
• Fixed the crawler issue that the page becomes unresponsive when it contains many elements.
• Fixed the single-page application crawler to be consistent in the form submission.
• Fixed a notification bug that does not redirect users to the correct URL for the finished scan.
• Fixed the bug that does not refresh the user interface after the update.

v15.3.1.230126173 – 30 Jan 2023 (Linux Only)

Fixes

• Fixed the Linux installations for updating issues.

v15.3.230123162 – 24 Jan 2023

New security checks

• Added SAML anonymous assertion consumer service audit for XML external entity injection, XSLT, Server-side request forgery, and Cross-site scripting.
• Added a SAML signature audit to test attacks on signature verification.
• Added various checks for Content Security Policy misconfiguration.
• New security check for ASP.NET core development mode.
• Updated the WordPress core vulnerabilities.
• Updated the WordPress plugin vulnerabilities.

Improvements

• Updated .NET IAST Sensor to detect a number of server-side configuration problems which may result in a security vulnerability.
• Improved the JSON payload tests.
• Updated JWT secrets dictionary.

Fixes

• Fixed a bug in the PHP IAST sensor when reporting arrays to the scanner.
• Fixed the scan summary page that failed to show some of the results.
• Fixed issues in the UI Notifications causing them to be unactionable.
• Fixed a problem that caused the LSR to show the mobile version for some sites incorrectly.
• Fixed .NET sensor issue that returns the root applications (website’s root) files although the sensor is enabled for sub-application.
• Fixed the version information shown on the user interface after the update.
• Fixed the routing issue for .NET Framework ASP.NET Web API because of compatibility issues.
• Improved the login sequence recorder notification that informs users when the response max size limit is exceeded.
• Fixed issue with pagination on the vulnerabilities page.
• Fixed the crawler issue that the page becomes unresponsive when it contains many elements.

v15.2.221208162 – 13 Dec 2022

New security checks

• Updated the WordPress plugin vulnerabilities.
• Added the AjaxPro.NET Professional Deserialization RCE (CVE-2021-23758).
• Improved the out-of-band detection.

Improvements

• Added ability to send HTTP requests to pre-request scripts.
• Various DeepScan improvements, generally improving the processing of JavaScript-rich web applications.
• Updated the embedded Chromium browser to v108.0.5359.71.
• Implemented the scan id to limit the caching, such as file list and libraries, to a scan.
• Improved the performance of alert transmission for AcuSensor.

Fixes

• Fixed the MongoDB injection and removed JSON parsing from the feature extraction library to avoid scan crashes.
• Fixed the issue that sent bogus report because of inconsistent last scan id.
• Improved the Pre-request script to send an HTTP job.
• Fixed the formatting issue for vulnerabilities exported to GitHub Issues.
• Fixed the unhandled exception that the IAST Bridge throws.
• Fixed the business logic recorder issue that failed to replay the logic sequence recorder.
• Fixed the issue that the custom scripts folder was not created during the installation.
• Fixed the issue that failed to show the Chinese on some headings when switched to Chinese.
• Fixed the manual intervention required information box that began to appear in the notification bar instead of being displayed as a dialog box.
• Added cURL as a backup if NSLookup is not present.
• Fixed the Jira integration that failed to create the epic issues.
• Fixed the issue that long scan names overlap with the AcuSensor icon.
• Fixed the issue that the authorization bearer was not used throughout the scan.

v15.1.221109177 – 10 Nov 2022

New features

• New navigation menu for a better user experience.
• Notification updates are shown for the last 30 days

New vulnerability checks

• New check for Swagger UI DOM XSS vulnerability.
• New test for Fortinet Authentication bypass on the administrative interface (CVE-2022-40684).
• New test for Insecure usage of Version 1 UUID/GUID.
• New test for Text4shell: Apache Commons Text RCE via insecure interpolation (CVE-2022-42889).
• New test for OpenSSL X.509 Email Address Buffer Overflows (CVE-2022-3786).
• Updated test for Open Monitoring Interfaces.
• Updated the software composition analysis database.
• Updated the WordPress plugin vulnerabilities.

Updates

• Updated the embedded Chromium browser to v107.0.5304.87/88.
• Updated how scans reaching max scan time are displayed in UI.
• Updated Issue Tracker UI to accept internal URLs.
• Improved Log4J checks to reduce false positives.

Fixes

• Fixed the issue causing the IAST bridge to fail to send responses to the sensor when large packets are received from the sensor.
• Added loopback routes that returned ‘undefined’ as an HTTP method.
• Added the keep connection alive message between AcuSensor and the web application scanner to keep the connection alive.

v15.0.221007170 – 13 Oct 2022

Note: There will be no new updates of the MacOS on premise installations. MacOS users can switch to Acunetix Premium Online, or use Acunetix On Premise in a virtual environment or on Docker.

New Features

• Acunetix can now be installed on Redhat Enterprise Linux (RHEL) 9

New Vulnerability checks

• Added check for Permissions-Policy header
• Added check for unrestricted access to Karma monitoring interface
• Added check for Go web application binary disclosure

Updates

• SCA: Improved the detection of components used by JAVA web application
• Updated to Chromium v106.0.5249.61
• Updated PHP AcuSensor to better support web applications using the Slim Framework
• Improved support for HTTP calls from Axios
• Updated CWE Top 25 Most Dangerous Software Weaknesses to 2022 list of weaknesses
• Scan results and scan reports will include the Acunetix version used to conduct the scan
• Updated PHP sensor to report MongoDB injection
• Updated PHP sensor to report Server-side Template Injection (SSTI)
• Increased the detection of default GraphQL Introspection URLs
• Implemented heartbeat for connections between scanner and AcuSensor bridge
• Multiple DeepScan updates
• Improved the auditing of JavaScript Libraries

Fixes

• Fixed issue which might cause Blind SSRF in the Issue Tracker and Proxy configuration
• Fixed 3 authorization problems
• Fixed memory exhaustion bug in Heuristic Links Verifier
• Fixed: Malware was being reported when invalid / unknown malware was reported by Windows Defender
• Fixed some crashes in the scanner
• Updated Network scans to not abort if initial ICMP ping fails
• Fixed error when sending vulnerabilities to Jira Issue Tracker
• Fixed UI error when filtering vulnerabilities by time

v14.9.220913107 – 14 Sep 2022

Updates

• Updated to Chromium 105.0.5195.102

Fixes

• Fixed DeepScan issue

v14.9.220830118 – 30 Aug 2022

New Features

• Added support for the Zend Framework in the PHP IAST AcuSensor

New Vulnerability Checks

• New check for Oracle E-Business Suite iStore open user registration
• New check for InfluxDB Unauthorized Access Vulnerability
• New check for Bonita Authorization Bypass (CVE-2022-25237)
• New check for Oracle ADF Faces ‘Miracle’ RCE (CVE-2022-21445)

Updates

• Various DeepScan Improvements
• Updated to Chromium 104.0.5112.101 (Linux) / 104.0.5112.102 (Windows)
• Improved XSS in URI (folder/file)
• Improved handling of SourceMaps
• Updated exposed web installers check
• Updated exposed development files check
• Updated exposed monitoring systems check

Fixes

• Fixed issue in the PHP IAST AcuSensor when reporting SCA components
• Fixed scanner crash

v14.9.220713150 – 14 Jul 2022

New features

• JAVA IAST AcuSensor can now be used on WebSphere
• HTTP requests can be copied as Curl command from the vulnerability data

New vulnerability checks

• New check for DotCMS unrestricted file upload (CVE-2022-26352)
• New check for .NET JSON.NET Deserialization RCE
• New check for Unauthenticated RCE in Confluence Server and Data Center (CVE-2022-26134)
• New check for Authentication bypass via MongoDB operator injection
• New check for MongoDB $where operator JavaScript injection

Updates

• Multiple DeepScan updates improving crawling of Single Page Applications (SPAs)
• Upgraded Chromium to v103.0.5060.114
• Improved handling of installed.json by PHP IAST AcuSensor
• SCA, AcuMonitor (OOB vulnerability checks) and URL malware checks now require the “Acunetix Online Services” to be enabled in the user profile
• Updated the MongoDB Injection checks
• Various UI updates and fixes

Fixes

• Multiple fixes in the JAVA and .NET IAST AcuSensors
• Fixed false negative in “Possible virtual host found”
• Fixed bug causing CSRF tokens to be retrieved using HTTP
• Fixed false positive in “Apache HTTP Server Source Code Disclosure”

v14.8.220610146 – 13 Jun 2022

Fixes

• Fixed issue when using Acunetix on Amazon Linux 2

v14.8.220606174 – 08 Jun 2022

New Vulnerability checks

• Test for Unauthenticated remote code execution vulnerability in Confluence Server and Data Center (CVE-2022-26134)

v14.8.220519149 – 23 May 2022

New Features

• JAVA IAST sensor now supports JBoss, Jetty and Wildfly JAVA Severs
• Improved support for Servlet3 and Jersey JAVA Frameworks

New Vulnerability Checks

• New IAST checks for Expression Language Injection
• New IAST checks for Hibernate Query Injection
• New test for Apache OFBiz Log4Shell RCE (CVE-2021-44228)
• New WordPress plugin checks
• New / updated JavaScript Audit checks

Updates

• Various UI improvements
• Improved detection of Directory Traversal vulnerabilities
• Improved detection of Directory Listing vulnerabilities
• Improved detection of development files
• Several improvements to LSR / DeepScan

Fixes

• Fixed issue causing some vulnerabilities detected by AcuSensor not to show as AcuSensor verified
• Fixed issue causing routes to not be listed by JAVA IAST sensor
• Fixed 2 issues in Target CSV import
• Fixed issue causing SCA not to be done on JAVA Spring boot web applications
• Fixed issue causing some checks not to be executed on cookies with Secure flag

v14.7.220425114 – 26 Apr 2022

Updates

• Upgraded Chromium to v100.0.4896.127

v14.7.220401065 – 01 Apr 2022

New Vulnerability checks

• Test for Spring4Shell vulnerability (CVE-2022-22965)

v14.7.220329162 – 30 Mar 2022

Updates

• Upgraded Chromium to v99.0.4844.84

v14.7.220322147 – 28 Mar 2022

New Vulnerability checks

• Test for host CMS Theme Preview XSS (CVE-2021-29484)

Updates

• Engines page in UI now shows the number of Targets bound to a scanning engine
• Vulnerabilities page in UI shows the Target Tracker Issue Id when the vulnerability is sent to an Issue Tracker
• Upgraded Chromium to v99.0.4844.0
• JWT audit checks are now done on GET / POST parameters

Fixes

• Fixed several Scanner crashes
• Numerous UI updates / fixes
• Fixed error when configuring GitHub Issue Trackers
• Numerous fixes related to CSRF token management
• Better handling of imported URLs that are excluded in LSR
• fixed issue causing pre-request scripts to be renamed, causing import scripts not to fail to be loaded

v14.7.220228146 – 01 Mar 2022

New Features

• .NET IAST Sensor (AcuSensor) can now be installed on .NET Core v3 and v5 on Windows (with Kestrel server)
• Acunetix Scanner updated to support Routes for frameworks supported by the IAST sensors (AcuSensor)
• Added support for Laravel framework in PHP IAST Sensor (AcuSensor)
• Added support for CodeIgnitor framework in PHP IAST Sensor (AcuSensor)
• Added support for Symphony framework in PHP IAST Sensor (AcuSensor)
• Added support for ASP.NET MVC in .NET Core IAST Sensor (AcuSensor)
• Added support for Razor Pages in .NET Core in .NET IAST Sensor (AcuSensor)
• Added support for Web API in .NET Framework and .NET Core IAST Sensors (AcuSensor)
• Added support for Spring MVC in JAVA IAST Sensor (AcuSensor)
• Added support for Spring Struts2 in JAVA IAST Sensor (AcuSensor)

New Vulnerability Checks

• Acunetix has been updated to detect the following vulnerabilities using IAST:
  • LDAP Injection
  • Unsafe Reflection of Untrusted Data
  • XPath Injection
  • Email Header Injection
  • Deserialization of Untrusted Data
  • MongoDB Injection
  • Server-side template injection (SSTI)
  • Server-side request forgery (SSRF)
  • Acunetix IAST (AcuSensor) has been updated to detect over 30 new server-side misconfigurations across all sensors
• New check for Magento Config File Disclosure
• New check for BillQuick Web Suite SQL injection (CVE-2021-42258)
• New check for Apache Airflow Experimental API Auth Bypass (CVE-2020-13927)
• New check for Apache Airflow default credentials
• New check for Apache Airflow Exposed configuration
• New check for Apache Airflow Unauthorized Access Vulnerability
• New check for GoCD information disclosure (CVE-2021-43287)
• New check for Grafana Plugin Dir Traversal (CVE-2021-43798)
• New check for NodeBB Arbitrary JSON File Read (CVE-2021-43788)
• New check for ManageEngine Desktop Central Deserialization RCE (CVE-2020–10189)
• New check for SolarWinds Orion API Auth bypass (CVE-2020-10148)
• New check for Citrix ADC NetScaler Local File Inclusion (CVE-2020-8193)
• New check for VMware vCenter vcavbootstrap Arbitrary File Read
• New check for Pentaho API Auth bypass (CVE-2021-31602)
• New check for Sonicwall SMA 100 Unintended proxy (CVE-2021-20042)
• New check for VMware vCenter Log4Shell RCE
• New check for VMware Horizon Log4Shell RCE
• New check for MobileIron Log4Shell RCE
• New check for Ubiquiti Unifi Log4Shell RCE
• New check for Apache OFBiz Log4Shell RCE
• New check for Apache Struts2 Log4Shell RCE
• New check for Apache Solr Log4Shell RCE
• New check for Apache JSPWiki Log4Shell RCE
• New WordPress Core and WordPress plugins checks

Updates

• IAST Sensors (AcuSensor) capabilities have been updated to improve the detection of:
  • Arbitrary File Creation
  • Directory Traversal
  • SQL Injection
  • Remote Code Execution
• Acunetix will start reporting when an old version of the IAST Sensor (AcuSensor) is installed on the web application
• Considerable update to the handling of CSRF tokens
• The Vulnerabilities page now includes a unique Vulnerability ID
• Multiple UI updates
• Multiple DeepScan updates

Fixes

• Fixed issue with Gitlab issue types not showing in UI
• Fixed issue with Amazon AWS WAF export
• Fixed several scanner crashes
• Fixed issue with .NET IAST AcuSensor not working on IIS prior to version 10
• Fixed issue with Node.js IAST AcuSensor causing web application to stop working
• Fixed ordering issue caused in PDF Comprehensive reports for multiple scans
• Fixed timeout issue causing IAST data not to reach the Acunetix scanner