Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-0169

Overview

Vulnerability Score 2.6 2.6
CVE Id CVE-2013-0169
Last Modified 26 Mar 2015 09:59:04
Published 08 Feb 2013 02:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2013-0169

Summary

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Vulnerable Systems

Application

  • Openssl

  • Openssl 0.9.8

  • Openssl 0.9.8a

  • Openssl 0.9.8b

  • Openssl 0.9.8c

  • Openssl 0.9.8d

  • Openssl 0.9.8f

  • Openssl 0.9.8g

  • Openssl 0.9.8h

  • Openssl 0.9.8i

  • Openssl 0.9.8j

  • Openssl 0.9.8k

  • Openssl 0.9.8l

  • Openssl 0.9.8m

  • Openssl 0.9.8n

  • Openssl 0.9.8o

  • Openssl 0.9.8p

  • Openssl 0.9.8q

  • Openssl 0.9.8r

  • Openssl 0.9.8s

  • Openssl 0.9.8t

  • Openssl 0.9.8u

  • Openssl 0.9.8v

  • Openssl 0.9.8w

  • Openssl 0.9.8x

  • Openssl 1.0.0

  • Openssl 1.0.0a

  • Openssl 1.0.0b

  • Openssl 1.0.0c

  • Openssl 1.0.0d

  • Openssl 1.0.0e

  • Openssl 1.0.0f

  • Openssl 1.0.0g

  • Openssl 1.0.0i

  • Openssl 1.0.0j

  • Openssl 1.0.1

  • Openssl 1.0.1a

  • Openssl 1.0.1b

  • Openssl 1.0.1c

  • Oracle Openjdk -

  • Oracle Openjdk 1.6.0

  • Oracle Openjdk 1.7.0

  • Oracle Openjdk 1.8.0

  • Polarssl 0.10.0

  • Polarssl 0.10.1

  • Polarssl 0.11.0

  • Polarssl 0.11.1

  • Polarssl 0.12.0

  • Polarssl 0.12.1

  • Polarssl 0.13.1

  • Polarssl 0.14.0

  • Polarssl 0.14.2

  • Polarssl 0.14.3

  • Polarssl 0.99

  • Polarssl 1.0.0

  • Polarssl 1.1.0

  • Polarssl 1.1.1

  • Polarssl 1.1.2

  • Polarssl 1.1.3

  • Polarssl 1.1.4


References

CONFIRM - https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released

CONFIRM - http://www.openssl.org/news/secadv_20130204.txt

CONFIRM - http://www.matrixssl.org/news.html

MISC - http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

MLIST - [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations

CONFIRM - http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

UBUNTU - USN-1735-1

DEBIAN - DSA-2622

DEBIAN - DSA-2621

REDHAT - RHSA-2013:0587

SUSE - openSUSE-SU-2013:0378

SUSE - openSUSE-SU-2013:0375

SUSE - SUSE-SU-2013:0328

CERT - TA13-051A

REDHAT - RHSA-2013:0783

REDHAT - RHSA-2013:0782

HP - SSRT101184

HP - HPSBMU02874

HP - HPSBUX02857

HP - SSRT101103

HP - HPSBUX02856

HP - SSRT101104

CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21644047

CERT-VN - VU#737740

CONFIRM - http://support.apple.com/kb/HT5880

APPLE - APPLE-SA-2013-09-12-1

SECTRACK - 1029190

SECUNIA - 55351

SECUNIA - 55350

SECUNIA - 55322

SECUNIA - 55139

SECUNIA - 55108

REDHAT - RHSA-2013:1456

REDHAT - RHSA-2013:1455

REDHAT - RHSA-2013:0833

FEDORA - FEDORA-2013-4403

HP - SSRT101289

HP - HPSBUX02909

SUSE - SUSE-SU-2013:0701

CONFIRM - http://www.splunk.com/view/SP-CAAAHXG

SECUNIA - 53623

MANDRIVA - MDVSA-2013:095

CONFIRM - https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084

MISC - http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/

SUSE - SUSE-SU-2014:0320

GENTOO - GLSA-201406-32

SUSE - SUSE-SU-2015:0578

Related Patches

Oracle Java JRE 1.6.0_41 for Windows (Update) (All Languages) (See Notes)

Oracle Java JRE 1.7.0_15 for Windows (Update) (All Languages) (See Notes)

Oracle Java JRE 1.6.0_41 for Windows (Update) (64Bit) (All Languages) (See Notes)

Oracle Java JRE 1.7.0_15 for Windows (Update) (64Bit) (All Languages) (See Notes)

Red Hat 2013:0274-01 RHSA Important: java-1.6.0-openjdk security update for RHEL 5 x86

Red Hat 2013:0275-01 RHSA Important: java-1.7.0-openjdk security update for RHEL 5 x86

Red Hat 2013:0587-01 RHSA Moderate: openssl security update for RHEL 5 x86

Novell SUSE 2013:7385 java-1_6_0-openjdk security update for SLED 11 SP2 i586

Novell SUSE 2013:7385 java-1_6_0-openjdk security update for SLED 11 SP2 x86_64

Novell SUSE 2013:7548 libopenssl-devel security update for SLE 11 SP2 i586

Novell SUSE 2013:7548 libopenssl-devel security update for SLE 11 SP2 x86_64

Novell SUSE 2013:7623 java-1_7_0-ibm security update for SLES 11 SP2 i586

Novell SUSE 2013:7623 java-1_7_0-ibm security update for SLES 11 SP2 x86_64

Novell SUSE 2013:7627 java-1_6_0-ibm security update for SLES 11 SP2 i586

Novell SUSE 2013:7627 java-1_6_0-ibm security update for SLES 11 SP2 x86_64

Novell SUSE 2013:8517 openssl security update for SLE 10 SP4 i586

Novell SUSE 2013:8517 openssl security update for SLE 10 SP4 x86_64

Novell SUSE 2013:8544 java-1_6_0-ibm security update for SLES 10 SP4 i586

Novell SUSE 2013:8544 java-1_6_0-ibm security update for SLES 10 SP4 x86_64


Last Updated: 27 May 2016 11:01:49