I-Veracode ishicilele imiphumela yocwaningo lokufaneleka kobungozi obubalulekile kumtapo wezincwadi we-Log4j Java, okhonjwe ngonyaka odlule kanye nonyaka odlule. Ngemva kokutadisha izicelo ezingu-38278 ezisetshenziswa izinhlangano ezingu-3866, abacwaningi be-Veracode bathole ukuthi u-38% wabo usebenzisa izinguqulo ezisengozini ze-Log4j. Isizathu esiyinhloko sokuqhubeka nokusebenzisa ikhodi yefa ukuhlanganiswa kwemitapo yolwazi emidala kumaphrojekthi noma ubunzima bokufuduka besuka emagatsheni angasekelwe baye emagatsheni amasha ahambisanayo emuva (uma sibheka umbiko wangaphambili we-Veracode, u-79% wemitapo yolwazi yezinkampani zangaphandle uthuthele kuphrojekthi ikhodi ayibuyekezwa kamuva).
Kunezigaba ezintathu eziyinhloko zezinhlelo zokusebenza ezisebenzisa izinguqulo ezisengozini ye-Log4j:
- U-2.8% wezinhlelo zokusebenza uyaqhubeka nokusebenzisa izinguqulo ze-Log4j kusuka ku-2.0-beta9 kuya ku-2.15.0, equkethe ukuba sengozini kwe-Log4Shell (CVE-2021-44228).
- U-3.8% wezinhlelo zokusebenza zisebenzisa ukukhishwa kwe-Log4j2 2.17.0, okulungisa ukuba sengozini kwe-Log4Shell, kodwa kushiye ukuba sengozini kwe-CVE-2021-44832 yokusebenzisa ikhodi yesilawuli kude (RCE) kungalungisiwe.
- U-32% wezinhlelo zokusebenza zisebenzisa igatsha le-Log4j2 1.2.x, usekelo oluphele ngo-2015. Leli gatsha lithintwa ubungozi obubucayi i-CVE-2022-23307, CVE-2022-23305 kanye ne-CVE-2022-23302, ekhonjwe ngo-2022 eminyakeni engu-7 ngemuva kokuphela kokulungiswa.
Source: opennet.ru