CVE-2013-0169

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Published date
2013-02-08T19:55Z
Last modification date
2023-05-12T12:58Z
Assigner
secalert@redhat.com
Problem type
CWE-310
NameURLSourceTags
http://www.openssl.org/news/secadv_20130204.txthttp://www.openssl.org/news/secadv_20130204.txtCONFIRMVendor Advisory
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-releasedhttps://polarssl.org/tech-updates/releases/polarssl-1.2.5-releasedCONFIRMVendor Advisory
[oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementationshttp://openwall.com/lists/oss-security/2013/02/05/24MLISTMailing List
http://www.isg.rhul.ac.uk/tls/TLStiming.pdfhttp://www.isg.rhul.ac.uk/tls/TLStiming.pdfMISCThird Party Advisory
http://www.matrixssl.org/news.htmlhttp://www.matrixssl.org/news.htmlCONFIRMThird Party Advisory
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.htmlhttp://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.htmlCONFIRMThird Party Advisory
USN-1735-1http://www.ubuntu.com/usn/USN-1735-1UBUNTUThird Party Advisory
openSUSE-SU-2013:0375http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.htmlSUSEThird Party Advisory
DSA-2621http://www.debian.org/security/2013/dsa-2621DEBIANThird Party Advisory
SUSE-SU-2013:0328http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.htmlSUSEThird Party Advisory
RHSA-2013:0587http://rhn.redhat.com/errata/RHSA-2013-0587.htmlREDHATThird Party Advisory
DSA-2622http://www.debian.org/security/2013/dsa-2622DEBIANThird Party Advisory
openSUSE-SU-2013:0378http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.htmlSUSEThird Party Advisory
TA13-051Ahttp://www.us-cert.gov/cas/techalerts/TA13-051A.htmlCERTThird Party Advisory, US Government Resource
RHSA-2013:0783http://rhn.redhat.com/errata/RHSA-2013-0783.htmlREDHATThird Party Advisory
HPSBUX02856http://marc.info/?l=bugtraq&m=136396549913849&w=2HPThird Party Advisory
HPSBUX02857http://marc.info/?l=bugtraq&m=136439120408139&w=2HPThird Party Advisory
HPSBMU02874http://marc.info/?l=bugtraq&m=136733161405818&w=2HPThird Party Advisory
RHSA-2013:0782http://rhn.redhat.com/errata/RHSA-2013-0782.htmlREDHATThird Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21644047http://www-01.ibm.com/support/docview.wss?uid=swg21644047CONFIRMThird Party Advisory
VU#737740http://www.kb.cert.org/vuls/id/737740CERT-VNThird Party Advisory, US Government Resource
APPLE-SA-2013-09-12-1http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.htmlAPPLEMailing List, Third Party Advisory
http://support.apple.com/kb/HT5880http://support.apple.com/kb/HT5880CONFIRMThird Party Advisory
55139http://secunia.com/advisories/55139SECUNIAThird Party Advisory
55108http://secunia.com/advisories/55108SECUNIAThird Party Advisory
55351http://secunia.com/advisories/55351SECUNIAThird Party Advisory
55350http://secunia.com/advisories/55350SECUNIAThird Party Advisory
1029190http://www.securitytracker.com/id/1029190SECTRACKThird Party Advisory, VDB Entry
55322http://secunia.com/advisories/55322SECUNIAThird Party Advisory
RHSA-2013:1455http://rhn.redhat.com/errata/RHSA-2013-1455.htmlREDHATThird Party Advisory
RHSA-2013:0833http://rhn.redhat.com/errata/RHSA-2013-0833.htmlREDHATThird Party Advisory
RHSA-2013:1456http://rhn.redhat.com/errata/RHSA-2013-1456.htmlREDHATThird Party Advisory
FEDORA-2013-4403http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.htmlFEDORAThird Party Advisory
SSRT101289http://marc.info/?l=bugtraq&m=137545771702053&w=2HPThird Party Advisory
SUSE-SU-2013:0701http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.htmlSUSEThird Party Advisory
http://www.splunk.com/view/SP-CAAAHXGhttp://www.splunk.com/view/SP-CAAAHXGCONFIRMThird Party Advisory
53623http://secunia.com/advisories/53623SECUNIAThird Party Advisory
MDVSA-2013:095http://www.mandriva.com/security/advisories?name=MDVSA-2013:095MANDRIVAThird Party Advisory
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084CONFIRMThird Party Advisory
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/MISCThird Party Advisory
SUSE-SU-2014:0320http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.htmlSUSEThird Party Advisory
GLSA-201406-32http://security.gentoo.org/glsa/glsa-201406-32.xmlGENTOOThird Party Advisory
SUSE-SU-2015:0578http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.htmlSUSEThird Party Advisory
SSRT101108http://marc.info/?l=bugtraq&m=136432043316835&w=2HPThird Party Advisory
57778http://www.securityfocus.com/bid/57778BIDThird Party Advisory, VDB Entry
openSUSE-SU-2016:0640http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlSUSEThird Party Advisory
oval:org.mitre.oval:def:19608https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608OVALThird Party Advisory
oval:org.mitre.oval:def:19540https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540OVALTool Signature
oval:org.mitre.oval:def:19424https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424OVALTool Signature
oval:org.mitre.oval:def:19016https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016OVALTool Signature
oval:org.mitre.oval:def:18841https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841OVALTool Signature
https://puppet.com/security/cve/cve-2013-0169https://puppet.com/security/cve/cve-2013-0169CONFIRMThird Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001CONFIRMThird Party Advisory
[debian-lts-announce] 20180925 [SECURITY] [DLA 1518-1] polarssl security updatehttps://lists.debian.org/debian-lts-announce/2018/09/msg00029.htmlMLISTThird Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdfCONFIRMThird Party Advisory