{"id":424057,"date":"2022-10-21T10:23:25","date_gmt":"2022-10-21T12:23:25","guid":{"rendered":"https:\/\/teknomers.com\/fr\/les-pirates-ont-commence-a-exploiter-critical-text4shell-vulnerabilite-de-texte-apache-commons\/"},"modified":"2022-10-21T10:23:26","modified_gmt":"2022-10-21T12:23:26","slug":"les-pirates-ont-commence-a-exploiter-critical-text4shell-vulnerabilite-de-texte-apache-commons","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/les-pirates-ont-commence-a-exploiter-critical-text4shell-vulnerabilite-de-texte-apache-commons\/","title":{"rendered":"Les pirates ont commenc\u00e9 \u00e0 exploiter Critical &quot;Text4Shell&quot; Vuln\u00e9rabilit\u00e9 de texte Apache Commons"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both\"><\/div>\n<p>La soci\u00e9t\u00e9 de s\u00e9curit\u00e9 WordPress Wordfence a d\u00e9clar\u00e9 jeudi qu&#8217;elle avait commenc\u00e9 \u00e0 d\u00e9tecter les tentatives d&#8217;exploitation ciblant la faille r\u00e9cemment r\u00e9v\u00e9l\u00e9e dans <b>Texte Apache Commons<\/b> le 18 octobre 2022.<\/p>\n<p>La vuln\u00e9rabilit\u00e9, suivie comme <a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-42889\" target=\"_blank\">CVE-2022-42889<\/a> alias<b> Text4Shell<\/b>s&#8217;est vu attribuer un classement de gravit\u00e9 de 9,8 sur 10,0 possibles sur l&#8217;\u00e9chelle CVSS et affecte les versions 1.5 \u00e0 1.9 de la biblioth\u00e8que.<\/p>\n<p>Il est \u00e9galement similaire \u00e0 la d\u00e9sormais tristement c\u00e9l\u00e8bre vuln\u00e9rabilit\u00e9 Log4Shell en ce que le <a rel=\"nofollow noopener\" href=\"https:\/\/commons.apache.org\/proper\/commons-text\/apidocs\/org\/apache\/commons\/text\/StringSubstitutor.html\" target=\"_blank\">publier<\/a> s&#8217;enracine dans la mani\u00e8re <a rel=\"nofollow noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/String_interpolation\" target=\"_blank\">substitutions de cha\u00eenes<\/a> effectu\u00e9 pendant <a rel=\"nofollow noopener\" href=\"https:\/\/nakedsecurity.sophos.com\/2022\/10\/18\/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again\/\" target=\"_blank\">Recherches DNS, de script et d&#8217;URL<\/a> pourrait conduire \u00e0 l&#8217;ex\u00e9cution de code arbitraire sur des syst\u00e8mes sensibles lors de la transmission d&#8217;entr\u00e9es non fiables.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/strike-d\" target=\"_blank\" title=\"DevOps backupy\"><img decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" loading=\"lazy\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/08\/La-nouvelle-vulnerabilite-Amazon-Ring-aurait-pu-exposer-tous-vos.png\" width=\"300\" height=\"250\" \/><\/a><\/div>\n<p>UN <a rel=\"nofollow noopener\" href=\"https:\/\/sysdig.com\/blog\/cve-2022-42889-text4shell\/\" target=\"_blank\">exploitation r\u00e9ussie de la faille<\/a> peut permettre \u00e0 un pirate d&#8217;ouvrir une connexion shell invers\u00e9e avec l&#8217;application vuln\u00e9rable simplement via une charge utile sp\u00e9cialement con\u00e7ue, ouvrant ainsi la porte \u00e0 des attaques ult\u00e9rieures.<\/p>\n<p>Tandis que le <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/GossiTheDog\/status\/1581973655453433856\" target=\"_blank\">publier<\/a> \u00e9tait \u00e0 l&#8217;origine <a rel=\"nofollow noopener\" href=\"https:\/\/securitylab.github.com\/advisories\/GHSL-2022-018_Apache_Commons_Text\/\" target=\"_blank\">signal\u00e9<\/a> d\u00e9but mars 2022, l&#8217;Apache Software Foundation (ASF) a publi\u00e9 une <a rel=\"nofollow noopener\" href=\"https:\/\/commons.apache.org\/proper\/commons-text\/changes-report.html#a1.10.0\" target=\"_blank\">Version mise \u00e0 jour<\/a> du logiciel (1.10.0) le 24 septembre, suivi de <a rel=\"nofollow noopener\" href=\"https:\/\/lists.apache.org\/thread\/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om\" target=\"_blank\">\u00e9mettre un avis<\/a> seulement la semaine derni\u00e8re le 13 octobre.<\/p>\n<p>&#8220;Heureusement, tous les utilisateurs de cette biblioth\u00e8que ne seraient pas affect\u00e9s par cette vuln\u00e9rabilit\u00e9 &#8211; contrairement \u00e0 Log4J dans la vuln\u00e9rabilit\u00e9 Log4Shell, qui \u00e9tait vuln\u00e9rable m\u00eame dans ses cas d&#8217;utilisation les plus \u00e9l\u00e9mentaires&#8221;, a d\u00e9clar\u00e9 Yaniv Nizry, chercheur chez Checkmarx. <a rel=\"nofollow noopener\" href=\"https:\/\/checkmarx.com\/blog\/cve-2022-42889-text4shell-vulnerability-breakdown\/\" target=\"_blank\">a dit<\/a>.<\/p>\n<p>&#8220;Apache Commons Text doit \u00eatre utilis\u00e9 d&#8217;une certaine mani\u00e8re pour exposer la surface d&#8217;attaque et rendre la vuln\u00e9rabilit\u00e9 exploitable.&#8221;<\/p>\n<p>Wordfence a \u00e9galement r\u00e9it\u00e9r\u00e9 que la probabilit\u00e9 d&#8217;une exploitation r\u00e9ussie est consid\u00e9rablement limit\u00e9e par rapport \u00e0 Log4j, la plupart des charges utiles observ\u00e9es jusqu&#8217;\u00e0 pr\u00e9sent \u00e9tant con\u00e7ues pour rechercher des installations vuln\u00e9rables.<\/p>\n<p>&#8220;Une tentative r\u00e9ussie aurait pour cons\u00e9quence que le site victime adresserait une requ\u00eate DNS au domaine d&#8217;\u00e9coute contr\u00f4l\u00e9 par l&#8217;attaquant&#8221;, a d\u00e9clar\u00e9 le chercheur de Wordfence, Ram Gall. <a rel=\"nofollow noopener\" href=\"https:\/\/www.wordfence.com\/blog\/2022\/10\/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts\/\" target=\"_blank\">a dit<\/a>l&#8217;ajout de requ\u00eates avec des pr\u00e9fixes de script et d&#8217;URL a \u00e9t\u00e9 relativement plus faible en volume.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/crowd-mid-d\" target=\"_blank\" title=\"CyberSecurity\"><img decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" loading=\"lazy\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/08\/Google-Cloud-bloque-une-attaque-DDoS-record-de-46-millions.png\" width=\"728\" height=\"90\" \/><\/a><\/div>\n<p>Au contraire, le d\u00e9veloppement est une autre indication des risques de s\u00e9curit\u00e9 potentiels pos\u00e9s par les d\u00e9pendances open source tierces, n\u00e9cessitant que les organisations \u00e9valuent r\u00e9guli\u00e8rement leur surface d&#8217;attaque et mettent en place des strat\u00e9gies de gestion des correctifs appropri\u00e9es.<\/p>\n<p>Les utilisateurs qui d\u00e9pendent directement d&#8217;Apache Commons Text sont <a rel=\"nofollow noopener\" href=\"https:\/\/www.rapid7.com\/blog\/post\/2022\/10\/17\/cve-2022-42889-keep-calm-and-stop-saying-4shell\/\" target=\"_blank\">conseill\u00e9<\/a> mettre \u00e0 niveau vers la version corrig\u00e9e pour att\u00e9nuer les menaces potentielles.  Selon <a rel=\"nofollow noopener\" href=\"https:\/\/mvnrepository.com\/artifact\/org.apache.commons\/commons-text\/usages?sort=popular\" target=\"_blank\">R\u00e9f\u00e9rentiel Maven<\/a>pas moins de 2 593 projets utilisent la biblioth\u00e8que Apache Commons Text.<\/p>\n<p>La faille Apache Commons Text fait \u00e9galement suite \u00e0 une autre faille de s\u00e9curit\u00e9 critique qui a \u00e9t\u00e9 divulgu\u00e9e dans Apache Commons Configuration en juillet 2022 (<a rel=\"nofollow noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-33980\" target=\"_blank\">CVE-2022-33980<\/a>score CVSS : 9,8), ce qui pourrait <a rel=\"nofollow noopener\" href=\"https:\/\/snyk.io\/blog\/cve-2022-33980-apache-commons-configuration-rce-vulnerability\/\" target=\"_blank\">r\u00e9sultat<\/a> dans l&#8217;ex\u00e9cution de code arbitraire gr\u00e2ce \u00e0 la fonctionnalit\u00e9 d&#8217;interpolation de variable.<\/p>\n<p><\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2022\/10\/hackers-started-exploiting-critical.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>La soci\u00e9t\u00e9 de s\u00e9curit\u00e9 WordPress Wordfence a d\u00e9clar\u00e9 jeudi qu&#8217;elle avait commenc\u00e9 \u00e0 d\u00e9tecter les tentatives d&#8217;exploitation ciblant la faille r\u00e9cemment r\u00e9v\u00e9l\u00e9e dans Texte Apache Commons le 18 octobre 2022. La vuln\u00e9rabilit\u00e9, suivie comme CVE-2022-42889 alias Text4Shells&#8217;est vu attribuer un classement de gravit\u00e9 de 9,8 sur 10,0 possibles sur l&#8217;\u00e9chelle CVSS et affecte les versions [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":424058,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[43333,993,4168,66174,118325,4158,4165,4161,17566,4157,4159,4171,4170,65,4167,4160,4163,4162,249,4394,118326,4172,4169,13128,4166,3667,4164],"class_list":["post-424057","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-apache","tag-commence","tag-comment-pirater","tag-commons","tag-critical","tag-cyber-actualites","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-exploiter","tag-lactualite-de-la-cybersecurite","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-la-securite-des-informations","tag-les","tag-logiciel-malveillant-de-ransomware","tag-mises-a-jour-de-la-cybersecurite","tag-nouvelles-de-piratage","tag-nouvelles-de-pirates","tag-ont","tag-pirates","tag-quottext4shellquot","tag-securite-informatique","tag-securite-internet","tag-texte","tag-violation-de-donnees","tag-vulnerabilite","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/424057","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=424057"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/424057\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/424058"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=424057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=424057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=424057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}