{"$ref":"https://www.cert.ssi.gouv.fr/openapi.json","affected_systems":[{"description":"STSAFE-J version 1.1.4 en configuration ferm\u00e9e","product":{"name":"STSAFE-J","vendor":{"name":"STMicroelectronics","scada":false}}},{"description":"J-SAFE3 version 1.2.5","product":{"name":"J-SAFE3","vendor":{"name":"STMicroelectronics","scada":false}}}],"affected_systems_content":"","content":"## Solution\n\nL\u2019\u00e9diteur indique avoir inform\u00e9 ses clients.\n\n\ud83c\uddec\ud83c\udde7 The vendor indicates that customers were informed.\n","cves":[{"name":"CVE-2021-43393","url":"https://www.cve.org/CVERecord?id=CVE-2021-43393"},{"name":"CVE-2021-43392","url":"https://www.cve.org/CVERecord?id=CVE-2021-43392"}],"links":[],"reference":"CERTFR-2022-AVI-169","revisions":[{"description":"Version initiale","revision_date":"2022-02-22T00:00:00.000000"},{"description":"correction vecteur AC:H","revision_date":"2022-03-16T00:00:00.000000"}],"risks":[{"description":"Atteinte \u00e0 l'int\u00e9grit\u00e9 des donn\u00e9es"},{"description":"Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"}],"summary":"Les vuln\u00e9rabilit\u00e9s CVE-2021-43392 et CVE-2021-43393 ont \u00e9t\u00e9 d\u00e9couvertes\npar l\u2019ANSSI dans la Java Card J-SAFE3 et la plateforme STSAFE-J exposant\nune API Java Card 3.0.4, produits \u00e9dit\u00e9s par STMicroelectronics.\n\nCes vuln\u00e9rabilit\u00e9s sont pr\u00e9sentes dans l\u2019impl\u00e9mentation de l\u2019algorithme\nde signature ECDSA dans les produits STSAFE-J version 1.1.4 en\nconfiguration ferm\u00e9e et J-SAFE3 version 1.2.5. Elles permettent \u00e0 un\nattaquant d\u2019obtenir des informations sur des secrets cryptographiques et\nd\u2019exploiter la v\u00e9rification de signature dans des conditions\nparticuli\u00e8res.\n\nCes vuln\u00e9rabilit\u00e9s sont exploitables pour STSAFE-J version 1.1.4 en\nconfiguration ferm\u00e9e et J-SIGN lorsque la v\u00e9rification de signature est\nactiv\u00e9e, mais pas pour JSAFE-3 EPASS BAS ni les produits EAC. Elles\npourraient potentiellement \u00eatre exploit\u00e9es dans d\u2019autres produits bas\u00e9s\nsur la plateforme Java Card J-SAFE-3.\n\n### <span lang=\"en-GB\"><strong>\ud83c\uddec\ud83c\udde7 ENGLISH VERSION</strong></span> [english-version]\n\n<span lang=\"en-US\">Two vulnerabilities have been discovered in\nSTMicroelectronics products concerning the ECDSA signature algorithm on\nthe Java Card J-SAFE3 and STSAFE-J platforms exposing a 3.0.4 Java Card\nAPI. These vulnerabilities allow attackers to obtain information on\ncryptographic secrets and abuse the signature verification under certain\ncircumstances. These vulnerabilities are exploitable for STSAFE-J\nversion 1.1.4 in closed configuration and J-SIGN (when signature\nverification is activated) but not for J-SAFE3 EPASS BAC and EAC\nproducts. They might as well impact other products based on the J-SAFE-3\nJava Card platform.</span>\n","title":"Multiples vuln\u00e9rabilit\u00e9s dans les produits STMicroelectronics","vendor_advisories":[]}