Log4Shell ndeimwe yekuonekwa mukutyorwa kwedata mumakore gumi anotevera
Mwedzi wapera wegore ra2023 wakamaka chechipiri chegore rekuwanikwa kwekusagadzikana kweLog4j/Log4Shell, iko kusagadzikana kunoramba kuchikanganisa mapurojekiti mazhinji nhasi uye kunoisa njodzi yekuchengetedza.
Uye Log4j inoramba iri yakanangana neiyo cyberattacks, maererano ne Cloudflare's gore re "Gore Rekudzokorora" mushumo uye zvakare mhedzisiro yeongororo pamusoro pekukosha kwekunetseka kwakanyanya muLog4j Java raibhurari yakaburitswa nevaongorori vezvekuchengetedza.
ari Vatsvakurudzi veVeracode vanotaura izvozvo mushure mekudzidza 38.278 zvikumbiro yakashandiswa nemasangano 3.866, vakawana izvozvo maviri kubva mashanu maapplication achiri kushandisa shanduro dzisina njodzi yeApache Log4j raibhurari, makore maviri mushure mekunetseka kwakanyanya kwakaitwa pachena.
Chirevo chinoratidza kuti chikamu chimwe muzvitatu chezvishandiso zvinomhanya Log4j2 1.2.x (iyo yakasvika kumagumo ehupenyu muna Nyamavhuvhu 2015 uye isingachagamuchire zvigamba zvigadziriso) inomiririra 38%. Chikonzero chikuru chekuenderera mberi nekushandisa kodhi yenhaka kubatanidzwa kwemaraibhurari ekare kuita mapurojekiti kana kuti kuneta kwekutama kubva kumapazi asina kutsigirwa kuenda kumapazi matsva anodzokera kumashure. Pamusoro pezvo, 2.8% yezvishandiso zvichiri kushandisa shanduro dziri panjodzi yekusagadzikana kweLog4Shell.
Pamusoro pazvo, Zvinonzi kune mapoka makuru matatu yezvishandiso zvichiri kushandisa shanduro dzisina njodzi dzeLog4j, maererano neVeracode report:
- Log4Shell Kusagadzikana (CVE-2021-44228):
2.8% yezvishandiso inoramba ichishandisa Log4j shanduro kubva 2.0-beta9 kusvika 2.15.0, iyo ine njodzi inozivikanwa. - Remote Code Execution (RCE) Dambudziko (CVE-2021-44832):
3.8% yezvishandiso zvinoshandisa iyo Log4j2 2.17.0 vhezheni, iyo inogadzirisa kusagadzikana kweLog4Shell, asi isingagadzirise kuremote kodhi kuuraya (RCE) kukanganiswa kunoonekwa seCVE-2021-44832. - Log4j2 1.2.x Bazi (Rutsigiro rwakapedzwa muna 2015):
32% yezvikumbiro zvichiri kushandisa Log4j2 1.2.x bazi, iro rutsigiro rwakapera muna 2015. Iri bazi rakabatwa nekusagadzikana kwakanyanya, seCVE-2022-23307, CVE-2022-23305 uye CVE-2022-23302, yakaonekwa mu. 2022, makore manomwe mushure mekugadzirisa kwapera.
Iyi data inoratidzira kusiyana kwemamiriro ezvinhu umo zvikumbiro zvinoramba zvichishandisa shanduro dzekare uye dzisina njodzi dzeLog4j, zvichimutsa kunetseka kukuru kubva kuvatsvakurudzi.
Uye chokwadi chinoshungurudza ndechekuti 3.8% yemashandisirwo anoshandisa Log4j2 2.17.0, iyo yakavharwa neLog4Shell, asi ine CVE-2021-44832, imwe yakakwira-yakaomarara kure kure kodhi yekusagadzikana.
Chirevo chinoratidza kuti, pasinei nekuedza kwakaitwa mumakore achangopfuura kuvandudza maitiro ekuchengetedza mukuvandudza software uye kushandisa yakavhurika sosi, kune basa rekuita.
Chris Eng, director director kuVeracode, anosimbisa izvo:
Vagadziri vane basa rakakosha uye pane nzvimbo yekuvandudza kana zvasvika kune kuchengetedzeka kweyakavhurika sosi software.
Kunyange zvazvo vagadziri vakawanda pakutanga vakapindura zvakakodzera kune dambudziko reLog4j nekuisa shanduro 2.17.0, mushumo unoratidza kuti vamwe vakadzokera kumaitiro apfuura nekusashandisa zvigamba kupfuura kusunungurwa kwe2.17.1.
Iyo Apache Software Foundation (ASF) yanga ichishingairira kuzivisa mapurojekiti ari pasi pekukasira kugadzirisa, asi zvakawanikwa nemushumo zvinoratidza kuti kuchine zvikumbiro zvisati zvagadzirisa zvinodiwa.
Chirevo cheVeracode chaive chakavakirwa padhata kubva kusoftware scans yeanopfuura zviuru makumi matatu nemasere maapuro mukati memazuva makumi mapfumbamwe pakati paNyamavhuvhu 38,000 naNovember 90. Zvikumbiro zvanga zvichishandisa Log15j shanduro kubva pa15 kusvika 4 alpha 1.1 mumasangano 3.0.0 akasiyana.
Tsvagiridzo yedu yakawanawo kuti kana vagadziri vangoyeverwa kuraibhurari iri munjodzi kuburikidza ne scan, vanoigadzirisa nekukasira: 50 muzana yekusagadzikana inogadziriswa mumazuva makumi masere nepfumbamwe, mumazuva makumi matanhatu neshanu nekuda kwekusagadzikana kwakanyanya uye mumazuva zana negumi nenomwe yekusagadzikana kwepakati.
Mhedzisiro iyi inoenderana neyambiro yapfuura, senge 2022 Federal Cybersecurity Review Board report, iyo yakaratidza kuti dambudziko reLog4j raizotora makore kuti rigadziriswe zvizere.
pakupedzisira kana uri kufarira kuziva zvakawanda nezvazvo, Ndinokukoka iwe kuti ushanyire chinyorwa chepakutanga pane veracode blog. Iyo yekubatanidza ndeiyi.