Bishan u danbeysa ee sanadka 2023 ayaa ku astaysan sannad-guuradii labaad ee helitaanka nuglaanshaha Log4j/Log4Shell, taas oo ah baylahda sii socota inay saamayso mashaariic badan maanta oo khatar ku ah amniga.
Log4j wuxuu sii wadaa inuu noqdo bartilmaameedka koowaad ee weerarrada internetka, sida laga soo xigtay warbixinta sanadlaha ah ee Cloudflare "Year in Review" iyo sidoo kale natiijooyinka daraasad ku saabsan muhiimada dayacanka muhiimka ah ee maktabadda Log4j Java oo ay sii daayeen cilmi-baarayaasha amniga. by Veracode.
ka Cilmi-baarayaasha Veracode waxay xuseen in ka dib markii ay daraasad ku sameeyeen 38.278 codsi oo ay adeegsadeen 3.866 hay’adood, waxay ogaadeen taas laba ka mid ah shan codsi ayaa weli isticmaala versions nugul Laybareeriga Apache Log4j, laba sano kadib baylahda halista ah ayaa la soo bandhigay.
Warbixintu waxay iftiimisay in qiyaastii saddex meelood meel codsiyada ay maamulaan Log4j2 1.2.x (kaas oo gaadhay dhammaadka nolosha Agoosto 2015 oo aan hadda helin wax cusub oo balastar ah) taas oo ka dhigan 38%. Sababta ugu weyn ee loo sii wado adeegsiga koodka dhaxalka ah waa ku-biirinta maktabadihii hore ee mashaariicda ama dadaalka looga guurayo laamo aan la taageerin una guurin laamo cusub oo dib u socon kara. Intaa waxaa dheer, 2.8% codsiyada ayaa wali isticmaala noocyo u nugul nuglaanta Log4Shell ee caanka ah.
Waxaa intaa dheer, Waxaa la sheegay in ay jiraan saddex qaybood oo waaweyn Codsiyada wali isticmaalaya noocyada nugul ee Log4j, sida ku cad warbixinta Veracode:
- Nuglaanta Log4Shell (CVE-2021-44228):
2.8% codsiyada waxay sii wadaan adeegsiga noocyada Log4j laga bilaabo 2.0-beta9 ilaa 2.15.0, kaas oo ka kooban nuglaanta la yaqaan. - Nuglaanta Fulin Koodhka Fog (RCE) (CVE-2021-44832):
3.8% codsiyada ayaa isticmaala nooca Log4j2 2.17.0, kaas oo wax ka qabta dayacanka Log4Shell, laakiin ma xalliyo nuglaanta fulinta code-ka (RCE) ee loo aqoonsaday CVE-2021-44832. - Log4j2 1.2.x Laanta (Taageerada la dhameeyay 2015):
32% codsiyada ayaa wali isticmaala laanta Log4j2 1.2.x, kaas oo taageeradiisu dhamaatay 2015. Laantan waxaa saameeyay dayacanka halista ah, sida CVE-2022-23307, CVE-2022-23305 iyo CVE-2022-23302, oo lagu aqoonsaday 2022, todobo sano kadib dayactirka ayaa dhamaaday.
Xogtaani waxay muujineysaa kala duwanaanshaha xaaladaha ay codsiyada sii wadaan adeegsiga noocyada duugoobay iyo kuwa nugul ee Log4j, taasoo kor u qaadeysa walaac weyn oo ka imaanaya cilmi-baarayaasha.
Xaqiiqda welwelka lehna waa in 3.8% codsiyada ay adeegsadaan Log4j2 2.17.0, kaas oo lagu dhejiyay Log4Shell, laakiin ka kooban CVE-2021-44832, nuglaanta fulinta koodka fog ee culus.
Warbixintu waxay iftiimisay in. inkastoo dadaal la sameeyay Sanadihii la soo dhaafay si loo hagaajiyo ku dhaqanka amniga ee horumarinta software iyo isticmaalka il furan, shaqo baa jirta.
Chris Eng, madaxa cilmi baarista ee Veracode, ayaa iftiimiyay taas:
Soosaarayaashu waxay leeyihiin mas'uuliyad muhiim ah waxaana jira boos horumar ah marka ay timaado amniga software-ka il furan.
In kasta oo horumariyayaal badan ay markii hore si habboon uga jawaabeen dhibaatada Log4j iyaga oo ku rakibay nooca 2.17.0, warbixintu waxa ay soo jeedinaysaa in qaar ka mid ah ay dib ugu noqdeen qaababkii hore iyaga oo aan codsan balastar ka baxsan sii deynta 2.17.1.
Aasaaska Software-ka Apache (ASF) ayaa si firfircoon u ogeysiinaysay mashaariicda hoose ee deg-degga ah in la cusbooneysiiyo, laakiin natiijooyinka warbixinta ayaa muujinaya in ay weli jiraan codsiyo aan hirgelin hagaajintii loo baahnaa.
Warbixinta Veracode waxay ku salaysan tahay xogta laga helay baadhista software-ka ee in ka badan 38,000 apps muddo 90-maalmood ah intii u dhaxaysay Agoosto 15 iyo Noofambar 15. Codsiyada ayaa ka socday noocyada Log4j min 1.1 ilaa 3.0.0 alpha 1 gudaha 3,866 ururo kala duwan.
Cilmi-baadhisteenu waxay sidoo kale ogaatay in marka horumariyayaashu ay uga digtoonaadaan maktabad nugul iyada oo loo marayo iskaanka, waxay u hagaajiyaan si dhakhso ah: 50 boqolkiiba dayacanka ayaa go'an 89 maalmood guud ahaan, 65 maalmood ee dayacanka darnaanta sare iyo 107 maalmood ee jilicsanaanta dhexdhexaadka ah.
Natiijooyinkani waxay la socdaan digniinihii hore, sida warbixinta Guddiga Dib-u-eegista Amniga Sayniska ee Federaalka ee 2022, taasoo muujisay in dhibaatada Log4j ay qaadan doonto sannado in si buuxda loo xalliyo.
ugu danbeyn hadii aad tahay xiiseynaya in aan wax badan ka ogaado, Waxaan kugu martiqaadayaa inaad booqato maqaalka asalka ah ee blog-ka veracode. Xiriiriyaha waa kan.