Confirming Log4j selected in existing template!?

We had some specific ‘log4j’ only template/scans running along with our regularly schdeules scans.

Two questions hoping someone can help with…

  1. Wanting to confirm that a current template I am using already includes log4j checks but find understanding the displayed/not displayed selections extremely un-user friendly - we have this template edited for only by check types of ‘Microsoft hotfix’ ‘rpm’ and ‘patch’ - would log4j fall under these choices how do I confirm this?


  1. We have a separate Log4j only template that was previous configured, Do we need to be updating and adding to the log4j specific scan? (ie going to templates, vulnerabilities and searching for more ‘log4j’ to add)?
1 Like

I believe these three check types would include some of the log4j checks we’ve added, but not all of them, since some of them may fall under Local or Safe, for instance. If you want to add all of the possible log4j checks, you can:

  1. Click Add Check Types
  2. Search for CVE-2021-44228
  3. When the results appear, click Select All, and then Save

That’s correct. If you’ve got a template you’ve been adding log4j specific checks to (kinda like I did in the steps above), then you would have to search and add additional log4j checks as we release them.

I hope that helps!

thanks Holly thank you I am glad to have the confirmation

1 Like

Just wanted to double check is it sufficient to only search/add for CVE-2021-44228? I believe there were another 2 or so related CVEs?

You can actually follow the same steps for CVE-2021-45046 and CVE-2021-45105, if you’d like to have coverage for those added to the same template.

One more thing I just learned - we added a new vulnerability category called Apache Log4j, released January 12. With this, rather than having to manually search CVE’s and add new checks to the template every time they’re released, you should be able to just select Apache Log4j as a vuln category for your template, and then it’ll automatically include new checks as they’re added.

THank you Holly! sounds great about the new category and much easier that way.

Just want to check if this is right.

if I have selected via the category then I can deselect all the individual checks?


Correct, I believe you should be able to deselect them, and the checks that fall under the Apache Log4j category will be performed. You just don’t want to add them to the “disabled” list, or anything similar that might conflict.

Jennifer you will need to search for each of the Log4j CVEs under the individual checks and add them to your scan template. The Apache Log4j vulnerability category does not contain all Log4j CVEs released. It only contains the Log4j checks released by Rapid7.

Log4j CVEs -


Apache Log4j vulnerabilities categories’

Yikes well that is no fun!!! Thanks Christopher for the update glad I didnt hit send on the email I was drafting to my team before I checked back here.

1 Like