I-Veracode ipapashe iziphumo zophando malunga nokufaneleka kobuthathaka obubalulekileyo kwilayibrari ye-Log4j Java, echongiweyo kunyaka ophelileyo kunye nonyaka ongaphambili. Emva kokufunda izicelo ze-38278 ezisetyenziswe yimibutho ye-3866, abaphandi baseVeracode bafumanisa ukuba i-38% yabo isebenzisa iinguqulelo ezinobungozi zeLog4j. Esona sizathu siphambili sokuqhubeka nokusebenzisa ikhowudi yelifa kukudityaniswa kwamathala eencwadi amadala kwiiprojekthi okanye umsebenzi onzima wokufuduka ukusuka kumasebe angaxhaswanga ukuya kumasebe amatsha abuyela umva ahambelanayo (ngokwengxelo yangaphambili yeVeracode, i-79% yamathala eencwadi eqela lesithathu afudukele kwiprojekthi. Ikhowudi ayizange ihlaziywe emva koko).
Kukho iindidi ezintathu eziphambili zezicelo ezisebenzisa iinguqulelo ezisesichengeni zeLog4j:
- I-2.8% yezicelo ziyaqhubeka nokusebenzisa iinguqulelo ze-Log4j ukusuka kwi-2.0-beta9 ukuya kwi-2.15.0, equkethe ubungozi be-Log4Shell (CVE-2021-44228).
- I-3.8% yezicelo zisebenzisa ukukhutshwa kwe-Log4j2 2.17.0, elungisa ubuthathaka be-Log4Shell, kodwa ishiya i-CVE-2021-44832 ikhowudi yokusetyenziswa kwekhowudi ekude (RCE) ingalungiswanga.
- I-32% yezicelo zisebenzisa isebe Log4j2 1.2.x, inkxaso ephele ngo-2015. Eli sebe lichaphazelekayo ngobuthathaka obubalulekileyo CVE-2022-23307, CVE-2022-23305 kunye ne-CVE-2022-23302, ichongiwe kwi-2022 iminyaka eyi-7 emva kokuphela kokugcinwa.
umthombo: opennet.ru