CVE-2013-0169

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.6 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:N/C:P/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
VendorProductVersion
opensslopenssl
0.9.8 ≤
𝑥
≤ 0.9.8x
opensslopenssl
1.0.0 ≤
𝑥
≤ 1.0.0j
opensslopenssl
1.0.1 ≤
𝑥
≤ 1.0.1d
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.6.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
oracleopenjdk
1.7.0
polarsslpolarssl
0.10.0
polarsslpolarssl
0.10.1
polarsslpolarssl
0.11.0
polarsslpolarssl
0.11.1
polarsslpolarssl
0.12.0
polarsslpolarssl
0.12.1
polarsslpolarssl
0.13.1
polarsslpolarssl
0.14.0
polarsslpolarssl
0.14.2
polarsslpolarssl
0.14.3
polarsslpolarssl
0.99:pre1
polarsslpolarssl
0.99:pre3
polarsslpolarssl
0.99:pre4
polarsslpolarssl
0.99:pre5
polarsslpolarssl
1.0.0
polarsslpolarssl
1.1.0
polarsslpolarssl
1.1.0:rc0
polarsslpolarssl
1.1.0:rc1
polarsslpolarssl
1.1.1
polarsslpolarssl
1.1.2
polarsslpolarssl
1.1.3
polarsslpolarssl
1.1.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
bouncycastle
bullseye
1.68-2
fixed
wheezy
no-dsa
squeeze
no-dsa
bookworm
1.72-2
fixed
sid
1.77-1
fixed
trixie
1.77-1
fixed
gnutls28
bullseye
3.7.1-5+deb11u5
fixed
wheezy
no-dsa
squeeze
no-dsa
bullseye (security)
3.7.1-5+deb11u6
fixed
bookworm
3.7.9-2+deb12u3
fixed
sid
3.8.6-2
fixed
trixie
3.8.6-2
fixed
nss
bullseye
2:3.61-1+deb11u3
fixed
wheezy
no-dsa
squeeze
no-dsa
bullseye (security)
2:3.61-1+deb11u4
fixed
bookworm
2:3.87.1-1
fixed
sid
2:3.105-2
fixed
trixie
2:3.105-2
fixed
openssl
bullseye
1.1.1w-0+deb11u1
fixed
wheezy
no-dsa
squeeze
no-dsa
bullseye (security)
1.1.1w-0+deb11u2
fixed
bookworm
3.0.14-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
sid
3.3.2-2
fixed
trixie
3.3.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openjdk-6
trusty
Fixed 6b27-1.12.3-1ubuntu1
released
saucy
Fixed 6b27-1.12.3-1ubuntu1
released
raring
Fixed 6b27-1.12.3-1ubuntu1
released
quantal
Fixed 6b27-1.12.3-0ubuntu1~12.10
released
precise
Fixed 6b27-1.12.3-0ubuntu1~12.04
released
oneiric
Fixed 6b27-1.12.3-0ubuntu1~11.10
released
lucid
Fixed 6b27-1.12.3-0ubuntu1~10.04
released
hardy
Fixed 6b27-1.12.3-0ubuntu1~08.04.1
released
openjdk-7
trusty
Fixed 7u15-2.3.7-1ubuntu1
released
saucy
Fixed 7u15-2.3.7-1ubuntu1
released
raring
Fixed 7u15-2.3.7-1ubuntu1
released
quantal
Fixed 7u15-2.3.7-0ubuntu1~12.10
released
precise
Fixed 7u15-2.3.7-0ubuntu1~12.04
released
oneiric
Fixed 7u15-2.3.7-0ubuntu1~11.10
released
lucid
dne
hardy
dne
openssl
trusty
Fixed 1.0.1c-4ubuntu8
released
saucy
Fixed 1.0.1c-4ubuntu8
released
raring
Fixed 1.0.1c-4ubuntu8
released
quantal
Fixed 1.0.1c-3ubuntu2.3
released
precise
Fixed 1.0.1-4ubuntu5.8
released
oneiric
Fixed 1.0.0e-2ubuntu4.7
released
lucid
Fixed 0.9.8k-7ubuntu8.14
released
hardy
Fixed 0.9.8g-4ubuntu3.20
released
openssl098
trusty
Fixed 0.9.8o-7ubuntu3.2.14.04.1
released
saucy
Fixed 0.9.8o-7ubuntu3.2.13.10.1
released
raring
ignored
quantal
ignored
precise
Fixed 0.9.8o-7ubuntu3.2
released
oneiric
ignored
lucid
dne
hardy
dne
Common Weakness Enumeration
References
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
http://marc.info/?l=bugtraq&m=136396549913849&w=2
http://marc.info/?l=bugtraq&m=136396549913849&w=2
http://marc.info/?l=bugtraq&m=136432043316835&w=2
http://marc.info/?l=bugtraq&m=136432043316835&w=2
http://marc.info/?l=bugtraq&m=136439120408139&w=2
http://marc.info/?l=bugtraq&m=136439120408139&w=2
http://marc.info/?l=bugtraq&m=136733161405818&w=2
http://marc.info/?l=bugtraq&m=136733161405818&w=2
http://marc.info/?l=bugtraq&m=137545771702053&w=2
http://marc.info/?l=bugtraq&m=137545771702053&w=2
http://openwall.com/lists/oss-security/2013/02/05/24
http://rhn.redhat.com/errata/RHSA-2013-0587.html
http://rhn.redhat.com/errata/RHSA-2013-0782.html
http://rhn.redhat.com/errata/RHSA-2013-0783.html
http://rhn.redhat.com/errata/RHSA-2013-0833.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://secunia.com/advisories/53623
http://secunia.com/advisories/55108
http://secunia.com/advisories/55139
http://secunia.com/advisories/55322
http://secunia.com/advisories/55350
http://secunia.com/advisories/55351
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://support.apple.com/kb/HT5880
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
http://www.debian.org/security/2013/dsa-2621
http://www.debian.org/security/2013/dsa-2622
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
http://www.kb.cert.org/vuls/id/737740
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
http://www.matrixssl.org/news.html
http://www.openssl.org/news/secadv_20130204.txt
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
http://www.securityfocus.com/bid/57778
http://www.securitytracker.com/id/1029190
http://www.splunk.com/view/SP-CAAAHXG
http://www.ubuntu.com/usn/USN-1735-1
http://www.us-cert.gov/cas/techalerts/TA13-051A.html
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
https://puppet.com/security/cve/cve-2013-0169
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
http://marc.info/?l=bugtraq&m=136396549913849&w=2
http://marc.info/?l=bugtraq&m=136396549913849&w=2
http://marc.info/?l=bugtraq&m=136432043316835&w=2
http://marc.info/?l=bugtraq&m=136432043316835&w=2
http://marc.info/?l=bugtraq&m=136439120408139&w=2
http://marc.info/?l=bugtraq&m=136439120408139&w=2
http://marc.info/?l=bugtraq&m=136733161405818&w=2
http://marc.info/?l=bugtraq&m=136733161405818&w=2
http://marc.info/?l=bugtraq&m=137545771702053&w=2
http://marc.info/?l=bugtraq&m=137545771702053&w=2
http://openwall.com/lists/oss-security/2013/02/05/24
http://rhn.redhat.com/errata/RHSA-2013-0587.html
http://rhn.redhat.com/errata/RHSA-2013-0782.html
http://rhn.redhat.com/errata/RHSA-2013-0783.html
http://rhn.redhat.com/errata/RHSA-2013-0833.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://secunia.com/advisories/53623
http://secunia.com/advisories/55108
http://secunia.com/advisories/55139
http://secunia.com/advisories/55322
http://secunia.com/advisories/55350
http://secunia.com/advisories/55351
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://support.apple.com/kb/HT5880
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
http://www.debian.org/security/2013/dsa-2621
http://www.debian.org/security/2013/dsa-2622
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
http://www.kb.cert.org/vuls/id/737740
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
http://www.matrixssl.org/news.html
http://www.openssl.org/news/secadv_20130204.txt
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
http://www.securityfocus.com/bid/57778
http://www.securitytracker.com/id/1029190
http://www.splunk.com/view/SP-CAAAHXG
http://www.ubuntu.com/usn/USN-1735-1
http://www.us-cert.gov/cas/techalerts/TA13-051A.html
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
https://puppet.com/security/cve/cve-2013-0169
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084