CVE-2013-0169 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2013-0169

CVE-2013-0169

February 08, 2013

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Related Resources (58)

http://rhn.redhat.com/errata/RHSA-2013-1456.html

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084

https://security-tracker.debian.org/tracker/CVE-2013-0169

http://www.debian.org/security/2013/dsa-2622

http://www.splunk.com/view/SP-CAAAHXG

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html

http://rhn.redhat.com/errata/RHSA-2013-0587.html

http://security.gentoo.org/glsa/glsa-201406-32.xml

http://www.debian.org/security/2013/dsa-2621

http://www.mandriva.com/security/advisories?name=MDVSA-2013:095

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html

http://rhn.redhat.com/errata/RHSA-2013-0782.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424

http://secunia.com/advisories/53623

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841

http://www.securitytracker.com/id/1029190

http://secunia.com/advisories/55139

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html

http://rhn.redhat.com/errata/RHSA-2013-1455.html

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html

https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html

http://www.matrixssl.org/news.html

http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016

http://www.securityfocus.com/bid/57778

https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released

http://openwall.com/lists/oss-security/2013/02/05/24

http://www-01.ibm.com/support/docview.wss?uid=swg21644047

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540

https://access.redhat.com/security/cve/CVE-2013-0169

http://www.ubuntu.com/usn/USN-1735-1

https://people.canonical.com/~ubuntu-security/cve/CVE-2013-0169

http://rhn.redhat.com/errata/RHSA-2013-0833.html

http://marc.info/?l=bugtraq&m=136396549913849&w=2

http://support.apple.com/kb/HT5880

http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/

http://secunia.com/advisories/55322

http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html

http://marc.info/?l=bugtraq&m=136432043316835&w=2

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001

http://marc.info/?l=bugtraq&m=137545771702053&w=2

http://www.openssl.org/news/secadv_20130204.txt

http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

http://secunia.com/advisories/55351

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608

http://secunia.com/advisories/55108

http://rhn.redhat.com/errata/RHSA-2013-0783.html

https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf

http://www.kb.cert.org/vuls/id/737740

http://marc.info/?l=bugtraq&m=136733161405818&w=2

http://secunia.com/advisories/55350

https://puppet.com/security/cve/cve-2013-0169

http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html

http://marc.info/?l=bugtraq&m=136439120408139&w=2

http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html

http://www.us-cert.gov/cas/techalerts/TA13-051A.html

Do you need more information?

CVSS v4

Base Score:

6.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

CVSS v2

Base Score:

2.6

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

EPSS

Base Score:

0.77