Veracode yatulutsa zotsatira za kafukufuku wokhudzana ndi zofooka zazikulu mu laibulale ya Log4j Java, yomwe idadziwika chaka chatha komanso chaka chatha. Ataphunzira mapulogalamu 38278 omwe amagwiritsidwa ntchito ndi mabungwe 3866, ofufuza a Veracode adapeza kuti 38% ya iwo amagwiritsa ntchito mitundu yosatetezeka ya Log4j. Chifukwa chachikulu chopitirizira kugwiritsa ntchito code ya cholowa ndikuphatikiza malaibulale akale kukhala mapulojekiti kapena kuvutikira kwakusamuka kuchokera kunthambi zosathandizidwa kupita kunthambi zatsopano zomwe zimagwirizana m'mbuyo (kutengera lipoti lapitalo la Veracode, 79% ya malaibulale a chipani chachitatu adasamukira ku projekiti. ma code samasinthidwa pambuyo pake).
Pali magulu atatu a mapulogalamu omwe amagwiritsa ntchito mitundu yosatetezeka ya Log4j:
- 2.8% ya mapulogalamu akupitiliza kugwiritsa ntchito mitundu ya Log4j kuyambira 2.0-beta9 mpaka 2.15.0, yomwe ili ndi chiopsezo cha Log4Shell (CVE-2021-44228).
- 3.8% ya mapulogalamu amagwiritsa ntchito kutulutsidwa kwa Log4j2 2.17.0, komwe kumakonza chiwopsezo cha Log4Shell, koma kusiya kusatetezeka kwa CVE-2021-44832 (RCE) osakhazikika.
- 32% ya mapulogalamu amagwiritsa ntchito nthambi ya Log4j2 1.2.x, chithandizo chomwe chinatha mu 2015. Nthambi iyi imakhudzidwa ndi zovuta zovuta za CVE-2022-23307, CVE-2022-23305 ndi CVE-2022-23302, zomwe zidadziwika mu 2022 zaka 7 kutha kwa kukonza.
Source: opennet.ru