{"id":227457,"date":"2022-06-28T09:02:24","date_gmt":"2022-06-28T11:02:24","guid":{"rendered":"https:\/\/teknomers.com\/fr\/openssl-publiera-un-correctif-de-securite-pour-la-vulnerabilite-de-corruption-de-memoire-a-distance\/"},"modified":"2022-06-28T09:02:25","modified_gmt":"2022-06-28T11:02:25","slug":"openssl-publiera-un-correctif-de-securite-pour-la-vulnerabilite-de-corruption-de-memoire-a-distance","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/openssl-publiera-un-correctif-de-securite-pour-la-vulnerabilite-de-corruption-de-memoire-a-distance\/","title":{"rendered":"OpenSSL publiera un correctif de s\u00e9curit\u00e9 pour la vuln\u00e9rabilit\u00e9 de corruption de m\u00e9moire \u00e0 distance"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both\"><\/div>\n<p>La derni\u00e8re version de la biblioth\u00e8que OpenSSL a \u00e9t\u00e9 d\u00e9couverte comme sensible \u00e0 une vuln\u00e9rabilit\u00e9 de corruption de m\u00e9moire \u00e0 distance sur certains syst\u00e8mes.<\/p>\n<p>Le probl\u00e8me a \u00e9t\u00e9 identifi\u00e9 dans OpenSSL <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/openssl\/openssl\/releases\/tag\/openssl-3.0.4\" target=\"_blank\">version 3.0.4<\/a>qui a \u00e9t\u00e9 publi\u00e9 le 21 juin 2022 et a un impact sur les syst\u00e8mes x64 avec le <a rel=\"nofollow noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/AVX-512\" target=\"_blank\">AVX-512<\/a> jeu d&#8217;instructions.  OpenSSL 1.1.1 ainsi que les forks OpenSSL BoringSSL et LibreSSL ne sont pas affect\u00e9s.<\/p>\n<p>Le chercheur en s\u00e9curit\u00e9 Guido Vranken, qui a signal\u00e9 le bogue fin mai, <a rel=\"nofollow noopener\" href=\"https:\/\/guidovranken.com\/2022\/06\/27\/notes-on-openssl-remote-memory-corruption\/\" target=\"_blank\">a dit<\/a> il &#8220;peut \u00eatre d\u00e9clench\u00e9 de mani\u00e8re triviale par un attaquant&#8221;.  Bien que la lacune ait \u00e9t\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/openssl\/openssl\/pull\/18626\/commits\/71ad6a8da3e39bd4caf5c6c767287ddd9bce8bae\" target=\"_blank\">fix\u00e9<\/a>aucun correctif n&#8217;a encore \u00e9t\u00e9 mis \u00e0 disposition.<\/p>\n<p>OpenSSL est une biblioth\u00e8que de cryptographie populaire qui offre une impl\u00e9mentation open source du Transport Layer Security (<a rel=\"nofollow noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security\" target=\"_blank\">TLS<\/a>) protocole.  Extensions vectorielles avanc\u00e9es (<a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/openssl\/openssl\/issues\/18625%20en.wikipedia.org\/wiki\/Advanced_Vector_Extensions\" target=\"_blank\">AVX<\/a>) sont des extensions de l&#8217;architecture du jeu d&#8217;instructions x86 pour les microprocesseurs d&#8217;Intel et d&#8217;AMD.<\/p>\n<p>&#8220;Je ne pense pas qu&#8217;il s&#8217;agisse d&#8217;une faille de s\u00e9curit\u00e9&#8221;, a d\u00e9clar\u00e9 Tom\u00e1\u0161 Mr\u00e1z de la Fondation OpenSSL dans un fil de discussion GitHub.  &#8220;C&#8217;est juste un bogue s\u00e9rieux qui rend la version 3.0.4 inutilisable sur les machines compatibles AVX-512.&#8221;<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/crowdsec-tour-d\" target=\"_blank\" title=\"CyberSecurity\"><img loading=\"lazy\" decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/04\/1650021915_454_Haskers-Gang-donne-gratuitement-le-logiciel-malveillant-ZingoStealer-a-dautres.jpg\" width=\"728\" height=\"90\" \/><\/a><\/div>\n<p>D&#8217;un autre c\u00f4t\u00e9, Alex Gaynor a soulign\u00e9 : &#8220;Je ne suis pas s\u00fbr de comprendre en quoi il ne s&#8217;agit pas d&#8217;une vuln\u00e9rabilit\u00e9 de s\u00e9curit\u00e9. C&#8217;est un d\u00e9passement de m\u00e9moire tampon qui peut \u00eatre d\u00e9clench\u00e9 par des \u00e9l\u00e9ments tels que les signatures RSA, ce qui peut facilement se produire dans des contextes distants (par exemple, une poign\u00e9e de main TLS ).&#8221;<\/p>\n<p>Xi Ruoyao, un \u00e9tudiant de troisi\u00e8me cycle \u00e0 l&#8217;Universit\u00e9 de Xidian, est intervenu en d\u00e9clarant que m\u00eame si &#8220;je pense que nous ne devrions pas marquer un bogue comme une&#8221; vuln\u00e9rabilit\u00e9 de s\u00e9curit\u00e9 &#8220;\u00e0 moins que nous ayons des preuves montrant qu&#8217;il peut (ou du moins, peut) \u00eatre exploit\u00e9&#8221;, il est n\u00e9cessaire de publier la version 3.0.5 d\u00e8s que possible compte tenu de la gravit\u00e9 du probl\u00e8me.<\/p>\n<p><\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2022\/06\/openssh-to-release-security-patch-for.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>La derni\u00e8re version de la biblioth\u00e8que OpenSSL a \u00e9t\u00e9 d\u00e9couverte comme sensible \u00e0 une vuln\u00e9rabilit\u00e9 de corruption de m\u00e9moire \u00e0 distance sur certains syst\u00e8mes. Le probl\u00e8me a \u00e9t\u00e9 identifi\u00e9 dans OpenSSL version 3.0.4qui a \u00e9t\u00e9 publi\u00e9 le 21 juin 2022 et a un impact sur les syst\u00e8mes x64 avec le AVX-512 jeu d&#8217;instructions. OpenSSL 1.1.1 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":227458,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[4168,32471,24733,4158,4165,4161,2526,4157,4159,4171,4170,4167,1406,4160,4163,4162,28969,185,83659,1835,4172,4169,4166,3667,4164],"class_list":["post-227457","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-comment-pirater","tag-correctif","tag-corruption","tag-cyber-actualites","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-distance","tag-lactualite-de-la-cybersecurite","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-la-securite-des-informations","tag-logiciel-malveillant-de-ransomware","tag-memoire","tag-mises-a-jour-de-la-cybersecurite","tag-nouvelles-de-piratage","tag-nouvelles-de-pirates","tag-openssl","tag-pour","tag-publiera","tag-securite","tag-securite-informatique","tag-securite-internet","tag-violation-de-donnees","tag-vulnerabilite","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/227457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=227457"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/227457\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/227458"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=227457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=227457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=227457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}