{"id":64368,"date":"2022-03-31T15:14:17","date_gmt":"2022-03-31T17:14:17","guid":{"rendered":"https:\/\/teknomers.com\/fr\/publications-de-correctifs-de-securite-pour-le-bogue-zero-day-critique-dans-java-spring-framework\/"},"modified":"2022-03-31T15:14:33","modified_gmt":"2022-03-31T17:14:33","slug":"publications-de-correctifs-de-securite-pour-le-bogue-zero-day-critique-dans-java-spring-framework","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/publications-de-correctifs-de-securite-pour-le-bogue-zero-day-critique-dans-java-spring-framework\/","title":{"rendered":"Publications de correctifs de s\u00e9curit\u00e9 pour le bogue Zero-Day critique dans Java Spring Framework"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both\"><\/div>\n<p>Les responsables de Spring Framework ont \u200b\u200bpubli\u00e9 un correctif d&#8217;urgence pour corriger une faille d&#8217;ex\u00e9cution de code \u00e0 distance r\u00e9cemment r\u00e9v\u00e9l\u00e9e qui, si elle est exploit\u00e9e avec succ\u00e8s, pourrait permettre \u00e0 un attaquant non authentifi\u00e9 de prendre le contr\u00f4le d&#8217;un syst\u00e8me cibl\u00e9.<\/p>\n<p>Suivi comme <a rel=\"nofollow noopener\" href=\"https:\/\/tanzu.vmware.com\/security\/cve-2022-22965\" target=\"_blank\">CVE-2022-22965<\/a>, la faille de gravit\u00e9 \u00e9lev\u00e9e affecte les versions Spring Framework 5.3.0 \u00e0 5.3.17, 5.2.0 \u00e0 5.2.19 et d&#8217;autres versions plus anciennes non prises en charge.  Il est recommand\u00e9 aux utilisateurs de mettre \u00e0 niveau vers les versions 5.3.18 ou ult\u00e9rieures et 5.2.20 ou ult\u00e9rieures.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/backhub-d3\" target=\"_blank\" title=\"CyberSecurity\"><img loading=\"lazy\" decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/03\/Publications-de-correctifs-de-securite-pour-le-bogue-Zero-Day-critique.png\" width=\"728\" height=\"90\" \/><\/a><\/div>\n<p>Spring Framework est un framework Java qui offre un support d&#8217;infrastructure pour d\u00e9velopper des applications Web.<\/p>\n<p>&#8220;La vuln\u00e9rabilit\u00e9 affecte Spring <a rel=\"nofollow noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Model%E2%80%93view%E2%80%93controller\" target=\"_blank\">MVC<\/a> [model\u2013view\u2013controller]  et les applications Spring WebFlux s&#8217;ex\u00e9cutant sur [Java Development Kit] 9+&#8221;, Rossen Stoyanchev de Spring.io <a rel=\"nofollow noopener\" href=\"https:\/\/spring.io\/blog\/2022\/03\/31\/spring-framework-rce-early-announcement\" target=\"_blank\">mentionn\u00e9<\/a> dans un avis publi\u00e9 jeudi.<\/p>\n<p>&#8220;L&#8217;exploit sp\u00e9cifique n\u00e9cessite que l&#8217;application s&#8217;ex\u00e9cute sur Tomcat en tant que d\u00e9ploiement WAR. Si l&#8217;application est d\u00e9ploy\u00e9e en tant que jar ex\u00e9cutable Spring Boot, c&#8217;est-\u00e0-dire la valeur par d\u00e9faut, elle n&#8217;est pas vuln\u00e9rable \u00e0 l&#8217;exploit. Cependant, la nature de la vuln\u00e9rabilit\u00e9 est plus g\u00e9n\u00e9ral, et il peut y avoir d&#8217;autres fa\u00e7ons de l&#8217;exploiter \u00bb, a ajout\u00e9 Stoyanchev.<\/p>\n<p>&#8220;L&#8217;exploitation n\u00e9cessite un point de terminaison avec DataBinder activ\u00e9 (par exemple, une requ\u00eate POST qui d\u00e9code automatiquement les donn\u00e9es du corps de la requ\u00eate) et d\u00e9pend fortement du conteneur de servlet pour l&#8217;application&#8221;, ont d\u00e9clar\u00e9 les chercheurs pr\u00e9toriens Anthony Weems et Dallas Kaman. <a rel=\"nofollow noopener\" href=\"https:\/\/www.praetorian.com\/blog\/spring-core-jdk9-rce\/\" target=\"_blank\">mentionn\u00e9<\/a>.<\/p>\n<div class=\"ad_two clear\"><a rel=\"nofollow noopener\" href=\"https:\/\/go.thn.li\/cs-feb-header\" target=\"_blank\" title=\"CyberSecurity\"><img loading=\"lazy\" decoding=\"async\" alt=\"La cyber-s\u00e9curit\u00e9\" class=\"lazyload\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2022\/03\/1647417170_810_Facebook-frappe-dune-amende-de-186-millions-de-dollars-GDPR.jpeg\" width=\"728\" height=\"90\" \/><\/a><\/div>\n<p>Cela dit, Spring.io a averti que &#8220;la nature de la vuln\u00e9rabilit\u00e9 est plus g\u00e9n\u00e9rale&#8221; et qu&#8217;il pourrait y avoir d&#8217;autres moyens de militariser la faille qui n&#8217;a pas \u00e9t\u00e9 r\u00e9v\u00e9l\u00e9e.<\/p>\n<p>Le correctif arrive alors qu&#8217;un chercheur de langue chinoise a bri\u00e8vement publi\u00e9 un commit GitHub contenant un code d&#8217;exploitation de preuve de concept (PoC) pour CVE-2022-22965 le 30 mars 2022, avant qu&#8217;il ne soit supprim\u00e9.<\/p>\n<p>Spring.io, une filiale de VMware, a indiqu\u00e9 avoir \u00e9t\u00e9 alert\u00e9 pour la premi\u00e8re fois de la vuln\u00e9rabilit\u00e9 &#8220;mardi soir tard, vers minuit, heure GMT par codeplutos, meizjm3i d&#8217;AntGroup FG Security Lab&#8221;.  Il a \u00e9galement cr\u00e9dit\u00e9 la soci\u00e9t\u00e9 de cybers\u00e9curit\u00e9 Praetorian pour avoir signal\u00e9 la faille.<\/p>\n<p><\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2022\/03\/security-patch-releases-for-critical.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Les responsables de Spring Framework ont \u200b\u200bpubli\u00e9 un correctif d&#8217;urgence pour corriger une faille d&#8217;ex\u00e9cution de code \u00e0 distance r\u00e9cemment r\u00e9v\u00e9l\u00e9e qui, si elle est exploit\u00e9e avec succ\u00e8s, pourrait permettre \u00e0 un attaquant non authentifi\u00e9 de prendre le contr\u00f4le d&#8217;un syst\u00e8me cibl\u00e9. Suivi comme CVE-2022-22965, la faille de gravit\u00e9 \u00e9lev\u00e9e affecte les versions Spring Framework [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":64369,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[6813,4168,15954,22,4158,4165,4161,429,39961,4312,4157,4159,4171,4170,4167,4160,4163,4162,185,40284,1835,4172,4169,13283,4166,4164,35759],"class_list":["post-64368","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-bogue","tag-comment-pirater","tag-correctifs","tag-critique","tag-cyber-actualites","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-dans","tag-framework","tag-java","tag-lactualite-de-la-cybersecurite","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-la-securite-des-informations","tag-logiciel-malveillant-de-ransomware","tag-mises-a-jour-de-la-cybersecurite","tag-nouvelles-de-piratage","tag-nouvelles-de-pirates","tag-pour","tag-publications","tag-securite","tag-securite-informatique","tag-securite-internet","tag-spring","tag-violation-de-donnees","tag-vulnerabilite-logicielle","tag-zeroday"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/64368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=64368"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/64368\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/64369"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=64368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=64368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=64368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}