Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2013-0169

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Published

2013-02-08T19:55:01.030

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 2.6 (LOW)

CVSSv2 Vector

AV:N/AC:H/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

4.9

Impact Score

2.9

Weaknesses

Type: Primary
CWE-310

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	openssl	openssl	≤ 0.9.8x	Yes
Application	openssl	openssl	≤ 1.0.0j	Yes
Application	openssl	openssl	≤ 1.0.1d	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.6.0	Yes
Application	oracle	openjdk	1.7.0	Yes
Application	oracle	openjdk	1.7.0	Yes
Application	oracle	openjdk	1.7.0	Yes
Application	oracle	openjdk	1.7.0	Yes
Application	oracle	openjdk	1.7.0	Yes
Application	oracle	openjdk	1.7.0	Yes
Application	oracle	openjdk	1.7.0	Yes
Application	oracle	openjdk	1.7.0	Yes
Application	oracle	openjdk	1.7.0	Yes
Application	oracle	openjdk	1.7.0	Yes
Application	oracle	openjdk	1.7.0	Yes
Application	oracle	openjdk	1.7.0	Yes
Application	polarssl	polarssl	0.10.0	Yes
Application	polarssl	polarssl	0.10.1	Yes
Application	polarssl	polarssl	0.11.0	Yes
Application	polarssl	polarssl	0.11.1	Yes
Application	polarssl	polarssl	0.12.0	Yes
Application	polarssl	polarssl	0.12.1	Yes
Application	polarssl	polarssl	0.13.1	Yes
Application	polarssl	polarssl	0.14.0	Yes
Application	polarssl	polarssl	0.14.2	Yes
Application	polarssl	polarssl	0.14.3	Yes
Application	polarssl	polarssl	0.99	Yes
Application	polarssl	polarssl	0.99	Yes
Application	polarssl	polarssl	0.99	Yes
Application	polarssl	polarssl	0.99	Yes
Application	polarssl	polarssl	1.0.0	Yes
Application	polarssl	polarssl	1.1.0	Yes
Application	polarssl	polarssl	1.1.0	Yes
Application	polarssl	polarssl	1.1.0	Yes
Application	polarssl	polarssl	1.1.1	Yes
Application	polarssl	polarssl	1.1.2	Yes
Application	polarssl	polarssl	1.1.3	Yes
Application	polarssl	polarssl	1.1.4	Yes

References

http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/ Third Party Advisory ([email protected])
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html Mailing List, Third Party Advisory ([email protected])
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=136396549913849&w=2 Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=136432043316835&w=2 Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=136439120408139&w=2 Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=136733161405818&w=2 Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=137545771702053&w=2 Third Party Advisory ([email protected])
http://openwall.com/lists/oss-security/2013/02/05/24 Mailing List ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-0587.html Third Party Advisory ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-0782.html Third Party Advisory ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-0783.html Third Party Advisory ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-0833.html Third Party Advisory ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-1455.html Third Party Advisory ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-1456.html Third Party Advisory ([email protected])
http://secunia.com/advisories/53623 Third Party Advisory ([email protected])
http://secunia.com/advisories/55108 Third Party Advisory ([email protected])
http://secunia.com/advisories/55139 Third Party Advisory ([email protected])
http://secunia.com/advisories/55322 Third Party Advisory ([email protected])
http://secunia.com/advisories/55350 Third Party Advisory ([email protected])
http://secunia.com/advisories/55351 Third Party Advisory ([email protected])
http://security.gentoo.org/glsa/glsa-201406-32.xml Third Party Advisory ([email protected])
http://support.apple.com/kb/HT5880 Third Party Advisory ([email protected])
http://www-01.ibm.com/support/docview.wss?uid=swg21644047 Third Party Advisory ([email protected])
http://www.debian.org/security/2013/dsa-2621 Third Party Advisory ([email protected])
http://www.debian.org/security/2013/dsa-2622 Third Party Advisory ([email protected])
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf Third Party Advisory ([email protected])
http://www.kb.cert.org/vuls/id/737740 Third Party Advisory, US Government Resource ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095 Third Party Advisory ([email protected])
http://www.matrixssl.org/news.html Third Party Advisory ([email protected])
http://www.openssl.org/news/secadv_20130204.txt Vendor Advisory ([email protected])
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/57778 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1029190 Third Party Advisory, VDB Entry ([email protected])
http://www.splunk.com/view/SP-CAAAHXG Third Party Advisory ([email protected])
http://www.ubuntu.com/usn/USN-1735-1 Third Party Advisory ([email protected])
http://www.us-cert.gov/cas/techalerts/TA13-051A.html Third Party Advisory, US Government Resource ([email protected])
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html Third Party Advisory ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841 Tool Signature ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016 Tool Signature ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424 Tool Signature ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540 Tool Signature ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608 Third Party Advisory ([email protected])
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released Vendor Advisory ([email protected])
https://puppet.com/security/cve/cve-2013-0169 Third Party Advisory ([email protected])
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001 Third Party Advisory ([email protected])
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084 Third Party Advisory ([email protected])
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=136396549913849&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=136432043316835&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=136439120408139&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=136733161405818&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=137545771702053&w=2 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://openwall.com/lists/oss-security/2013/02/05/24 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-0587.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-0782.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-0783.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-0833.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-1455.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-1456.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/53623 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/55108 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/55139 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/55322 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/55350 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/55351 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://security.gentoo.org/glsa/glsa-201406-32.xml Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT5880 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www-01.ibm.com/support/docview.wss?uid=swg21644047 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2013/dsa-2621 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2013/dsa-2622 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.kb.cert.org/vuls/id/737740 Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.matrixssl.org/news.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.openssl.org/news/secadv_20130204.txt Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/57778 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1029190 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.splunk.com/view/SP-CAAAHXG Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/USN-1735-1 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.us-cert.gov/cas/techalerts/TA13-051A.html Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841 Tool Signature (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016 Tool Signature (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424 Tool Signature (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540 Tool Signature (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://puppet.com/security/cve/cve-2013-0169 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)