CVE-2013-0169

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Published : 2013-02-08 19:55 Updated : 2019-10-09 23:06

2.6
CVSS Score More info
Score 2.6 / 10
2.6
Vendor Product Version URI
Openssl Openssl 1.0.0c cpe:/a:openssl:openssl:1.0.0c
Polarssl Polarssl 1.1.0 cpe:/a:polarssl:polarssl:1.1.0:rc0
Openssl Openssl 0.9.8s cpe:/a:openssl:openssl:0.9.8s
Oracle Openjdk 1.6.0 cpe:/a:oracle:openjdk:1.6.0
Oracle Openjdk 1.8.0 cpe:/a:oracle:openjdk:1.8.0
Polarssl Polarssl 0.10.0 cpe:/a:polarssl:polarssl:0.10.0
Openssl Openssl 1.0.1a cpe:/a:openssl:openssl:1.0.1a
Openssl Openssl 1.0.1c cpe:/a:openssl:openssl:1.0.1c
Openssl Openssl 1.0.1b cpe:/a:openssl:openssl:1.0.1b
Polarssl Polarssl 0.11.1 cpe:/a:polarssl:polarssl:0.11.1
Polarssl Polarssl 0.11.0 cpe:/a:polarssl:polarssl:0.11.0
Polarssl Polarssl 0.13.1 cpe:/a:polarssl:polarssl:0.13.1
Polarssl Polarssl 1.0.0 cpe:/a:polarssl:polarssl:1.0.0
Polarssl Polarssl 1.1.0 cpe:/a:polarssl:polarssl:1.1.0:rc1
Openssl Openssl 0.9.8b cpe:/a:openssl:openssl:0.9.8b
Openssl Openssl 0.9.8a cpe:/a:openssl:openssl:0.9.8a
Openssl Openssl 0.9.8d cpe:/a:openssl:openssl:0.9.8d
Openssl Openssl 1.0.1 cpe:/a:openssl:openssl:1.0.1
Openssl Openssl 1.0.0 cpe:/a:openssl:openssl:1.0.0
Openssl Openssl 0.9.8 cpe:/a:openssl:openssl:0.9.8
Oracle Openjdk 1.7.0 cpe:/a:oracle:openjdk:1.7.0
Openssl Openssl 0.9.8c cpe:/a:openssl:openssl:0.9.8c
Polarssl Polarssl 0.14.3 cpe:/a:polarssl:polarssl:0.14.3
Openssl Openssl 1.0.0f cpe:/a:openssl:openssl:1.0.0f
Polarssl Polarssl 1.1.2 cpe:/a:polarssl:polarssl:1.1.2
Openssl Openssl 1.0.0e cpe:/a:openssl:openssl:1.0.0e
Polarssl Polarssl 1.1.3 cpe:/a:polarssl:polarssl:1.1.3
Polarssl Polarssl 1.1.0 cpe:/a:polarssl:polarssl:1.1.0
Openssl Openssl 1.0.0g cpe:/a:openssl:openssl:1.0.0g
Openssl Openssl 1.0.0j cpe:/a:openssl:openssl:1.0.0j
Openssl Openssl 1.0.0i cpe:/a:openssl:openssl:1.0.0i
Polarssl Polarssl 1.1.4 cpe:/a:polarssl:polarssl:1.1.4
Openssl Openssl 0.9.8w cpe:/a:openssl:openssl:0.9.8w
Polarssl Polarssl 0.12.0 cpe:/a:polarssl:polarssl:0.12.0
Polarssl Polarssl 0.10.1 cpe:/a:polarssl:polarssl:0.10.1
Polarssl Polarssl 0.14.0 cpe:/a:polarssl:polarssl:0.14.0
Polarssl Polarssl 0.99 cpe:/a:polarssl:polarssl:0.99:pre1
Polarssl Polarssl 0.12.1 cpe:/a:polarssl:polarssl:0.12.1
Polarssl Polarssl 1.1.1 cpe:/a:polarssl:polarssl:1.1.1
Openssl Openssl 0.9.8v cpe:/a:openssl:openssl:0.9.8v
Polarssl Polarssl 0.14.2 cpe:/a:polarssl:polarssl:0.14.2
Openssl Openssl 0.9.8u cpe:/a:openssl:openssl:0.9.8u
Openssl Openssl 0.9.8x cpe:/a:openssl:openssl:0.9.8x
Openssl Openssl 0.9.8o cpe:/a:openssl:openssl:0.9.8o
Openssl Openssl 0.9.8r cpe:/a:openssl:openssl:0.9.8r
Openssl Openssl 0.9.8q cpe:/a:openssl:openssl:0.9.8q
Openssl Openssl 0.9.8t cpe:/a:openssl:openssl:0.9.8t
Openssl Openssl 0.9.8k cpe:/a:openssl:openssl:0.9.8k
Oracle Openjdk - cpe:/a:oracle:openjdk:-
Openssl Openssl 0.9.8n cpe:/a:openssl:openssl:0.9.8n
Openssl Openssl 0.9.8m cpe:/a:openssl:openssl:0.9.8m
Openssl Openssl 0.9.8p cpe:/a:openssl:openssl:0.9.8p
Openssl Openssl 0.9.8g cpe:/a:openssl:openssl:0.9.8g
Openssl Openssl 0.9.8j cpe:/a:openssl:openssl:0.9.8j
Polarssl Polarssl 0.99 cpe:/a:polarssl:polarssl:0.99:pre3
Openssl Openssl 0.9.8i cpe:/a:openssl:openssl:0.9.8i
Openssl Openssl 0.9.8l cpe:/a:openssl:openssl:0.9.8l
Openssl Openssl 1.0.0b cpe:/a:openssl:openssl:1.0.0b
Openssl Openssl 0.9.8f cpe:/a:openssl:openssl:0.9.8f
Openssl Openssl 1.0.0a cpe:/a:openssl:openssl:1.0.0a
Polarssl Polarssl 0.99 cpe:/a:polarssl:polarssl:0.99:pre4
Openssl Openssl 1.0.0d cpe:/a:openssl:openssl:1.0.0d
Openssl Openssl 0.9.8h cpe:/a:openssl:openssl:0.9.8h
Polarssl Polarssl 0.99 cpe:/a:polarssl:polarssl:0.99:pre5
Openssl Openssl 0.9.8 cpe:/a:openssl:openssl:0.9.8:beta1
Openssl Openssl 0.9.8 cpe:/a:openssl:openssl:0.9.8:beta2
Openssl Openssl 0.9.8 cpe:/a:openssl:openssl:0.9.8:beta3
Openssl Openssl 0.9.8 cpe:/a:openssl:openssl:0.9.8:beta4
Openssl Openssl 0.9.8 cpe:/a:openssl:openssl:0.9.8:beta5
Openssl Openssl 0.9.8 cpe:/a:openssl:openssl:0.9.8:beta6
Openssl Openssl 0.9.8e cpe:/a:openssl:openssl:0.9.8e
Openssl Openssl 0.9.8m cpe:/a:openssl:openssl:0.9.8m:beta1
Openssl Openssl 1.0.0 cpe:/a:openssl:openssl:1.0.0:beta1
Openssl Openssl 1.0.0 cpe:/a:openssl:openssl:1.0.0:beta2
Openssl Openssl 1.0.0 cpe:/a:openssl:openssl:1.0.0:beta3
Openssl Openssl 1.0.0 cpe:/a:openssl:openssl:1.0.0:beta4
Openssl Openssl 1.0.0 cpe:/a:openssl:openssl:1.0.0:beta5
Openssl Openssl 1.0.0h cpe:/a:openssl:openssl:1.0.0h
Openssl Openssl 1.0.1 cpe:/a:openssl:openssl:1.0.1:beta1
Openssl Openssl 1.0.1 cpe:/a:openssl:openssl:1.0.1:beta2
Openssl Openssl 1.0.1 cpe:/a:openssl:openssl:1.0.1:beta3
Openssl Openssl 1.0.1d cpe:/a:openssl:openssl:1.0.1d
  1. Polarssl (1) Search CVE
    1. Polarssl (17) Search CVE
      1. 1.1.0
      2. 0.10.0
      3. 0.11.1
      4. 0.11.0
      5. 0.13.1
      6. 1.0.0
      7. 0.14.3
      8. 1.1.2
      9. 1.1.3
      10. 1.1.4
      11. 0.12.0
      12. 0.10.1
      13. 0.14.0
      14. 0.99
      15. 0.12.1
      16. 1.1.1
      17. 0.14.2
  2. Openssl (1) Search CVE
    1. Openssl (41) Search CVE
      1. 1.0.0c
      2. 0.9.8s
      3. 1.0.1a
      4. 1.0.1c
      5. 1.0.1b
      6. 0.9.8b
      7. 0.9.8a
      8. 0.9.8d
      9. 1.0.1
      10. 1.0.0
      11. 0.9.8
      12. 0.9.8c
      13. 1.0.0f
      14. 1.0.0e
      15. 1.0.0g
      16. 1.0.0j
      17. 1.0.0i
      18. 0.9.8w
      19. 0.9.8v
      20. 0.9.8u
      21. 0.9.8x
      22. 0.9.8o
      23. 0.9.8r
      24. 0.9.8q
      25. 0.9.8t
      26. 0.9.8k
      27. 0.9.8n
      28. 0.9.8m
      29. 0.9.8p
      30. 0.9.8g
      31. 0.9.8j
      32. 0.9.8i
      33. 0.9.8l
      34. 1.0.0b
      35. 0.9.8f
      36. 1.0.0a
      37. 1.0.0d
      38. 0.9.8h
      39. 0.9.8e
      40. 1.0.0h
      41. 1.0.1d
  3. Oracle (1) Search CVE
    1. Openjdk (4) Search CVE
      1. 1.6.0
      2. 1.8.0
      3. 1.7.0
      4. -

CWE

ID Name Description Links
CWE-310 Cryptographic Issues Weaknesses in this category are related to the use of cryptography. CVE

References

Source Link
FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
MISC http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/
CONFIRM https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084
MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
CONFIRM http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
SECTRACK http://www.securitytracker.com/id/1029190
SUSE http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
HP http://marc.info/?l=bugtraq&m=136396549913849&w=2
CONFIRM http://www.matrixssl.org/news.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
HP http://marc.info/?l=bugtraq&m=137545771702053&w=2
CONFIRM https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
MLIST http://openwall.com/lists/oss-security/2013/02/05/24
SUSE http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
HP http://marc.info/?l=bugtraq&m=136432043316835&w=2
APPLE http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html
HP http://marc.info/?l=bugtraq&m=136733161405818&w=2
HP http://marc.info/?l=bugtraq&m=136439120408139&w=2
SUSE http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html
CONFIRM http://www.openssl.org/news/secadv_20130204.txt
CONFIRM https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
UBUNTU http://www.ubuntu.com/usn/USN-1735-1
CONFIRM http://support.apple.com/kb/HT5880
DEBIAN http://www.debian.org/security/2013/dsa-2622
REDHAT http://rhn.redhat.com/errata/RHSA-2013-0833.html
CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21644047
REDHAT http://rhn.redhat.com/errata/RHSA-2013-0782.html
DEBIAN http://www.debian.org/security/2013/dsa-2621
REDHAT http://rhn.redhat.com/errata/RHSA-2013-1456.html
CERT-VN http://www.kb.cert.org/vuls/id/737740
REDHAT http://rhn.redhat.com/errata/RHSA-2013-1455.html
REDHAT http://rhn.redhat.com/errata/RHSA-2013-0783.html
GENTOO http://security.gentoo.org/glsa/glsa-201406-32.xml
CONFIRM http://www.splunk.com/view/SP-CAAAHXG
CERT http://www.us-cert.gov/cas/techalerts/TA13-051A.html
REDHAT http://rhn.redhat.com/errata/RHSA-2013-0587.html
BID http://www.securityfocus.com/bid/57778
MISC http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
CONFIRM https://puppet.com/security/cve/cve-2013-0169
CONFIRM https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001
MLIST https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html

History of changes

Date Event
2019-09-23 19:36
2018-09-26 10:29
2018-08-09 01:29
2017-12-09 02:29
2013-02-08 19:55

New CVE