Veracode ayaa daabacday natiijooyinka daraasadda ku saabsan muhiimada dayacanka muhiimka ah ee maktabadda Log4j Java, oo la aqoonsaday sannadkii hore iyo sannadkii ka horreeyay. Ka dib markii ay daraasad ku sameeyeen codsiyada 38278 ee ay isticmaalaan 3866 urur, cilmi-baarayaasha Veracode waxay ogaadeen in 38% ka mid ah ay isticmaalaan noocyada nugul ee Log4j. Sababta ugu weyn ee loo sii wado adeegsiga koodka dhaxalka ah waa isku dhafka maktabadihii hore ee mashaariicda ama dadaalka looga guurayo laamo aan la taageerin oo loo guurayo laamo cusub oo dib u socda koodhka waligiis lama cusboonaysiin).
Waxaa jira saddex qaybood oo codsiyo ah oo adeegsada noocyada nugul ee Log4j:
- 2.8% codsiyada waxay sii wadaan adeegsiga noocyada Log4j laga bilaabo 2.0-beta9 ilaa 2.15.0, kuwaas oo ka kooban nuglaanta Log4Shell (CVE-2021-44228).
- 3.8% codsiyadu waxay adeegsadaan Log4j2 2.17.0, kaas oo hagaajiya nuglaanta Log4Shell, laakiin ka tagaysa nuglaanta CVE-2021-44832 meelmarinta code-ka fog (RCE).
- 32% codsiyada waxay isticmaalaan Log4j2 1.2.x laanta, taageerada taas oo ku dhamaatay 2015. Laantan waxaa saameeya dayacanka halista ah CVE-2022-23307, CVE-2022-23305 iyo CVE-2022-23302, oo lagu aqoonsaday 2022 7 sano kadib dhamaadka dayactirka.
Source: opennet.ru