CVE-2013-0169

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.6 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
Affected Products (NVD)
VendorProductVersion
opensslopenssl
0.9.8 ≤
𝑥
≤ 0.9.8x
opensslopenssl
1.0.0 ≤
𝑥
≤ 1.0.0j
opensslopenssl
1.0.1 ≤
𝑥
≤ 1.0.1d
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
polarsslpolarssl
0.10.0
polarsslpolarssl
0.10.1
polarsslpolarssl
0.11.0
polarsslpolarssl
0.11.1
polarsslpolarssl
0.12.0
polarsslpolarssl
0.12.1
polarsslpolarssl
0.13.1
polarsslpolarssl
0.14.0
polarsslpolarssl
0.14.2
polarsslpolarssl
0.14.3
polarsslpolarssl
0.99:pre1
polarsslpolarssl
0.99:pre3
polarsslpolarssl
0.99:pre4
polarsslpolarssl
0.99:pre5
polarsslpolarssl
1.0.0
polarsslpolarssl
1.1.0
polarsslpolarssl
1.1.0:rc0
polarsslpolarssl
1.1.0:rc1
polarsslpolarssl
1.1.1
polarsslpolarssl
1.1.2
polarsslpolarssl
1.1.3
polarsslpolarssl
1.1.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
bouncycastle
bookworm
1.72-2
fixed
bullseye
1.68-2
fixed
sid
1.77-1
fixed
squeeze
no-dsa
trixie
1.77-1
fixed
wheezy
no-dsa
gnutls28
bookworm
3.7.9-2+deb12u3
fixed
bullseye
3.7.1-5+deb11u5
fixed
bullseye (security)
3.7.1-5+deb11u6
fixed
sid
3.8.6-2
fixed
squeeze
no-dsa
trixie
3.8.6-2
fixed
wheezy
no-dsa
nss
bookworm
2:3.87.1-1
fixed
bullseye
2:3.61-1+deb11u3
fixed
bullseye (security)
2:3.61-1+deb11u4
fixed
sid
2:3.105-2
fixed
squeeze
no-dsa
trixie
2:3.105-2
fixed
wheezy
no-dsa
openssl
bookworm
3.0.14-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
bullseye
1.1.1w-0+deb11u1
fixed
bullseye (security)
1.1.1w-0+deb11u2
fixed
sid
3.3.2-2
fixed
squeeze
no-dsa
trixie
3.3.2-2
fixed
wheezy
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openjdk-6
hardy
Fixed 6b27-1.12.3-0ubuntu1~08.04.1
released
lucid
Fixed 6b27-1.12.3-0ubuntu1~10.04
released
oneiric
Fixed 6b27-1.12.3-0ubuntu1~11.10
released
precise
Fixed 6b27-1.12.3-0ubuntu1~12.04
released
quantal
Fixed 6b27-1.12.3-0ubuntu1~12.10
released
raring
Fixed 6b27-1.12.3-1ubuntu1
released
saucy
Fixed 6b27-1.12.3-1ubuntu1
released
trusty
Fixed 6b27-1.12.3-1ubuntu1
released
openjdk-7
hardy
dne
lucid
dne
oneiric
Fixed 7u15-2.3.7-0ubuntu1~11.10
released
precise
Fixed 7u15-2.3.7-0ubuntu1~12.04
released
quantal
Fixed 7u15-2.3.7-0ubuntu1~12.10
released
raring
Fixed 7u15-2.3.7-1ubuntu1
released
saucy
Fixed 7u15-2.3.7-1ubuntu1
released
trusty
Fixed 7u15-2.3.7-1ubuntu1
released
openssl
hardy
Fixed 0.9.8g-4ubuntu3.20
released
lucid
Fixed 0.9.8k-7ubuntu8.14
released
oneiric
Fixed 1.0.0e-2ubuntu4.7
released
precise
Fixed 1.0.1-4ubuntu5.8
released
quantal
Fixed 1.0.1c-3ubuntu2.3
released
raring
Fixed 1.0.1c-4ubuntu8
released
saucy
Fixed 1.0.1c-4ubuntu8
released
trusty
Fixed 1.0.1c-4ubuntu8
released
openssl098
hardy
dne
lucid
dne
oneiric
ignored
precise
Fixed 0.9.8o-7ubuntu3.2
released
quantal
ignored
raring
ignored
saucy
Fixed 0.9.8o-7ubuntu3.2.13.10.1
released
trusty
Fixed 0.9.8o-7ubuntu3.2.14.04.1
released
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
java-1.5.0-ibm
RHEL 6
1:1.5.0.16.2-1jpp.1.el6_4
fixed
java-1.5.0-ibm-demo
RHEL 6
1:1.5.0.16.2-1jpp.1.el6_4
fixed
java-1.5.0-ibm-devel
RHEL 6
1:1.5.0.16.2-1jpp.1.el6_4
fixed
java-1.5.0-ibm-javacomm
RHEL 6
1:1.5.0.16.2-1jpp.1.el6_4
fixed
java-1.5.0-ibm-jdbc
RHEL 6
1:1.5.0.16.2-1jpp.1.el6_4
fixed
java-1.5.0-ibm-plugin
RHEL 6
1:1.5.0.16.2-1jpp.1.el6_4
fixed
java-1.5.0-ibm-src
RHEL 6
1:1.5.0.16.2-1jpp.1.el6_4
fixed
java-1.6.0-ibm
RHEL 6
1:1.6.0.13.2-1jpp.1.el6_4
fixed
java-1.6.0-ibm-demo
RHEL 6
1:1.6.0.13.2-1jpp.1.el6_4
fixed
java-1.6.0-ibm-devel
RHEL 6
1:1.6.0.13.2-1jpp.1.el6_4
fixed
java-1.6.0-ibm-javacomm
RHEL 6
1:1.6.0.13.2-1jpp.1.el6_4
fixed
java-1.6.0-ibm-jdbc
RHEL 6
1:1.6.0.13.2-1jpp.1.el6_4
fixed
java-1.6.0-ibm-plugin
RHEL 6
1:1.6.0.13.2-1jpp.1.el6_4
fixed
java-1.6.0-ibm-src
RHEL 6
1:1.6.0.13.2-1jpp.1.el6_4
fixed
java-1.6.0-openjdk
RHEL 6
1:1.6.0.0-1.56.1.11.8.el6_3
fixed
java-1.6.0-openjdk-demo
RHEL 6
1:1.6.0.0-1.56.1.11.8.el6_3
fixed
java-1.6.0-openjdk-devel
RHEL 6
1:1.6.0.0-1.56.1.11.8.el6_3
fixed
java-1.6.0-openjdk-javadoc
RHEL 6
1:1.6.0.0-1.56.1.11.8.el6_3
fixed
java-1.6.0-openjdk-src
RHEL 6
1:1.6.0.0-1.56.1.11.8.el6_3
fixed
java-1.6.0-sun
RHEL 6
1:1.6.0.41-1jpp.1.el6_3
fixed
java-1.6.0-sun-demo
RHEL 6
1:1.6.0.41-1jpp.1.el6_3
fixed
java-1.6.0-sun-devel
RHEL 6
1:1.6.0.41-1jpp.1.el6_3
fixed
java-1.6.0-sun-jdbc
RHEL 6
1:1.6.0.41-1jpp.1.el6_3
fixed
java-1.6.0-sun-plugin
RHEL 6
1:1.6.0.41-1jpp.1.el6_3
fixed
java-1.6.0-sun-src
RHEL 6
1:1.6.0.41-1jpp.1.el6_3
fixed
java-1.7.0-ibm
RHEL 6
1:1.7.0.4.2-1jpp.1.el6_4
fixed
java-1.7.0-ibm-demo
RHEL 6
1:1.7.0.4.2-1jpp.1.el6_4
fixed
java-1.7.0-ibm-devel
RHEL 6
1:1.7.0.4.2-1jpp.1.el6_4
fixed
java-1.7.0-ibm-jdbc
RHEL 6
1:1.7.0.4.2-1jpp.1.el6_4
fixed
java-1.7.0-ibm-plugin
RHEL 6
1:1.7.0.4.2-1jpp.1.el6_4
fixed
java-1.7.0-ibm-src
RHEL 6
1:1.7.0.4.2-1jpp.1.el6_4
fixed
java-1.7.0-openjdk
RHEL 6
1:1.7.0.9-2.3.7.1.el6_3
fixed
java-1.7.0-openjdk-demo
RHEL 6
1:1.7.0.9-2.3.7.1.el6_3
fixed
java-1.7.0-openjdk-devel
RHEL 6
1:1.7.0.9-2.3.7.1.el6_3
fixed
java-1.7.0-openjdk-javadoc
RHEL 6
1:1.7.0.9-2.3.7.1.el6_3
fixed
java-1.7.0-openjdk-src
RHEL 6
1:1.7.0.9-2.3.7.1.el6_3
fixed
java-1.7.0-oracle
RHEL 6
1:1.7.0.15-1jpp.1.el6_3
fixed
java-1.7.0-oracle-devel
RHEL 6
1:1.7.0.15-1jpp.1.el6_3
fixed
java-1.7.0-oracle-javafx
RHEL 6
1:1.7.0.15-1jpp.1.el6_3
fixed
java-1.7.0-oracle-jdbc
RHEL 6
1:1.7.0.15-1jpp.1.el6_3
fixed
java-1.7.0-oracle-plugin
RHEL 6
1:1.7.0.15-1jpp.1.el6_3
fixed
java-1.7.0-oracle-src
RHEL 6
1:1.7.0.15-1jpp.1.el6_3
fixed
openssl
RHEL 6
0:1.0.0-27.el6_4.2
fixed
openssl-devel
RHEL 6
0:1.0.0-27.el6_4.2
fixed
openssl-perl
RHEL 6
0:1.0.0-27.el6_4.2
fixed
openssl-static
RHEL 6
0:1.0.0-27.el6_4.2
fixed
Common Weakness Enumeration
References
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
http://marc.info/?l=bugtraq&m=136396549913849&w=2
http://marc.info/?l=bugtraq&m=136432043316835&w=2
http://marc.info/?l=bugtraq&m=136439120408139&w=2
http://marc.info/?l=bugtraq&m=136733161405818&w=2
http://marc.info/?l=bugtraq&m=137545771702053&w=2
http://openwall.com/lists/oss-security/2013/02/05/24
http://rhn.redhat.com/errata/RHSA-2013-0587.html
http://rhn.redhat.com/errata/RHSA-2013-0782.html
http://rhn.redhat.com/errata/RHSA-2013-0783.html
http://rhn.redhat.com/errata/RHSA-2013-0833.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://secunia.com/advisories/53623
http://secunia.com/advisories/55108
http://secunia.com/advisories/55139
http://secunia.com/advisories/55322
http://secunia.com/advisories/55350
http://secunia.com/advisories/55351
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://support.apple.com/kb/HT5880
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
http://www.debian.org/security/2013/dsa-2621
http://www.debian.org/security/2013/dsa-2622
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
http://www.kb.cert.org/vuls/id/737740
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
http://www.matrixssl.org/news.html
http://www.openssl.org/news/secadv_20130204.txt
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
http://www.securityfocus.com/bid/57778
http://www.securitytracker.com/id/1029190
http://www.splunk.com/view/SP-CAAAHXG
http://www.ubuntu.com/usn/USN-1735-1
http://www.us-cert.gov/cas/techalerts/TA13-051A.html
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
https://puppet.com/security/cve/cve-2013-0169
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
http://marc.info/?l=bugtraq&m=136396549913849&w=2
http://marc.info/?l=bugtraq&m=136432043316835&w=2
http://marc.info/?l=bugtraq&m=136439120408139&w=2
http://marc.info/?l=bugtraq&m=136733161405818&w=2
http://marc.info/?l=bugtraq&m=137545771702053&w=2
http://openwall.com/lists/oss-security/2013/02/05/24
http://rhn.redhat.com/errata/RHSA-2013-0587.html
http://rhn.redhat.com/errata/RHSA-2013-0782.html
http://rhn.redhat.com/errata/RHSA-2013-0783.html
http://rhn.redhat.com/errata/RHSA-2013-0833.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://secunia.com/advisories/53623
http://secunia.com/advisories/55108
http://secunia.com/advisories/55139
http://secunia.com/advisories/55322
http://secunia.com/advisories/55350
http://secunia.com/advisories/55351
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://support.apple.com/kb/HT5880
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
http://www.debian.org/security/2013/dsa-2621
http://www.debian.org/security/2013/dsa-2622
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
http://www.kb.cert.org/vuls/id/737740
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
http://www.matrixssl.org/news.html
http://www.openssl.org/news/secadv_20130204.txt
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
http://www.securityfocus.com/bid/57778
http://www.securitytracker.com/id/1029190
http://www.splunk.com/view/SP-CAAAHXG
http://www.ubuntu.com/usn/USN-1735-1
http://www.us-cert.gov/cas/techalerts/TA13-051A.html
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
https://puppet.com/security/cve/cve-2013-0169
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084