CVE-2013-0169

Severity

26%

Complexity

49%

Confidentiality

48%

Per http://www.openssl.org/news/vulnerabilities.html: Fixed in OpenSSL 1.0.1d (Affected 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) Fixed in OpenSSL 1.0.0k (Affected 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0) Fixed in OpenSSL 0.9.8y (Affected 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8) Affected users should upgrade to OpenSSL 1.0.1e, 1.0.0k or 0.9.8y (The fix in 1.0.1d wasn't complete, so please use 1.0.1e or later)

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Per http://www.openssl.org/news/vulnerabilities.html: Fixed in OpenSSL 1.0.1d (Affected 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) Fixed in OpenSSL 1.0.0k (Affected 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0) Fixed in OpenSSL 0.9.8y (Affected 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8) Affected users should upgrade to OpenSSL 1.0.1e, 1.0.0k or 0.9.8y (The fix in 1.0.1d wasn't complete, so please use 1.0.1e or later)

CVSS 2.0 Base Score 2.6. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N).

Overview

First reported 12 years ago

2013-02-08 19:55:00

Last updated 5 years ago

2019-10-09 23:06:00

Affected Software

OpenSSL Project OpenSSL

Oracle OpenJDK -

Oracle OpenJDK 1.6.0 (6)

1.6.0

Oracle OpenJDK 1.7.0 (7)

1.7.0

Oracle OpenJDK 1.8.0 (8)

1.8.0

PolarSSL 0.10.0

0.10.0

PolarSSL 0.10.1

0.10.1

PolarSSL 0.11.0

0.11.0

PolarSSL 0.11.1

0.11.1

PolarSSL 0.12.0

0.12.0

PolarSSL 0.12.1

0.12.1

PolarSSL 0.13.1

0.13.1

PolarSSL 0.14.0

0.14.0

PolarSSL 0.14.2

0.14.2

PolarSSL 0.14.3

0.14.3

PolarSSL 0.99-pre1

0.99

PolarSSL 0.99-pre3

0.99

PolarSSL 0.99-pre4

0.99

PolarSSL 0.99-pre5

0.99

PolarSSL 1.0.0

1.0.0

PolarSSL 1.1.0

1.1.0

PolarSSL 1.1.0 release candidate 0

1.1.0

PolarSSL 1.1.0 release candidate 1

1.1.0

PolarSSL 1.1.1

1.1.1

PolarSSL 1.1.2

1.1.2

PolarSSL 1.1.3

1.1.3

PolarSSL 1.1.4

1.1.4

References

http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/

Third Party Advisory

APPLE-SA-2013-09-12-1

Mailing List, Third Party Advisory

FEDORA-2013-4403

Third Party Advisory

SUSE-SU-2013:0328

Third Party Advisory

openSUSE-SU-2013:0375

Third Party Advisory

openSUSE-SU-2013:0378

Third Party Advisory

SUSE-SU-2013:0701

Third Party Advisory

SUSE-SU-2014:0320

Third Party Advisory

SUSE-SU-2015:0578

Third Party Advisory

openSUSE-SU-2016:0640

Third Party Advisory

HPSBUX02856

Third Party Advisory

SSRT101108

Third Party Advisory

HPSBUX02857

Third Party Advisory

HPSBMU02874

Third Party Advisory

SSRT101289

Third Party Advisory

[oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations

Mailing List

RHSA-2013:0587

Third Party Advisory

RHSA-2013:0782

Third Party Advisory

RHSA-2013:0783

Third Party Advisory

RHSA-2013:0833

Third Party Advisory

RHSA-2013:1455

Third Party Advisory

RHSA-2013:1456

Third Party Advisory

53623

Third Party Advisory

55108

Third Party Advisory

55139

Third Party Advisory

55322

Third Party Advisory

55350

Third Party Advisory

55351

Third Party Advisory

GLSA-201406-32

Third Party Advisory

http://support.apple.com/kb/HT5880

Third Party Advisory

DSA-2621

Third Party Advisory

DSA-2622

Third Party Advisory

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

Third Party Advisory

VU#737740

Third Party Advisory, US Government Resource

MDVSA-2013:095

Third Party Advisory

http://www.matrixssl.org/news.html

Third Party Advisory

http://www.openssl.org/news/secadv_20130204.txt

Vendor Advisory

http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

Third Party Advisory

57778

Third Party Advisory, VDB Entry

1029190

Third Party Advisory, VDB Entry

http://www.splunk.com/view/SP-CAAAHXG

Third Party Advisory

USN-1735-1

Third Party Advisory

TA13-051A

Third Party Advisory, US Government Resource

http://www-01.ibm.com/support/docview.wss?uid=swg21644047

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf

Third Party Advisory

[debian-lts-announce] 20180925 [SECURITY] [DLA 1518-1] polarssl security update

Third Party Advisory

oval:org.mitre.oval:def:18841

Tool Signature

oval:org.mitre.oval:def:19016

Tool Signature

oval:org.mitre.oval:def:19424

Tool Signature

oval:org.mitre.oval:def:19540

Tool Signature

oval:org.mitre.oval:def:19608

Third Party Advisory

https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released

Vendor Advisory

https://puppet.com/security/cve/cve-2013-0169

Third Party Advisory

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001

Third Party Advisory

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084

Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.