CVE - CVE-2013-0169

CVE-ID
CVE-2013-0169	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MLIST:[oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations URL:http://openwall.com/lists/oss-security/2013/02/05/24 MLIST:[debian-lts-announce] 20180925 [SECURITY] [DLA 1518-1] polarssl security update URL:https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html MISC:http://www.isg.rhul.ac.uk/tls/TLStiming.pdf MISC:http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/ CONFIRM:http://www.matrixssl.org/news.html CONFIRM:http://www.openssl.org/news/secadv_20130204.txt CONFIRM:https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21644047 CONFIRM:http://support.apple.com/kb/HT5880 CONFIRM:http://www.splunk.com/view/SP-CAAAHXG CONFIRM:https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084 CONFIRM:https://puppet.com/security/cve/cve-2013-0169 CONFIRM:https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001 APPLE:APPLE-SA-2013-09-12-1 URL:http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html DEBIAN:DSA-2621 URL:http://www.debian.org/security/2013/dsa-2621 DEBIAN:DSA-2622 URL:http://www.debian.org/security/2013/dsa-2622 FEDORA:FEDORA-2013-4403 URL:http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html GENTOO:GLSA-201406-32 URL:http://security.gentoo.org/glsa/glsa-201406-32.xml HP:HPSBUX02856 URL:http://marc.info/?l=bugtraq&m=136396549913849&w=2 HP:SSRT101104 URL:http://marc.info/?l=bugtraq&m=136396549913849&w=2 HP:HPSBMU02874 URL:http://marc.info/?l=bugtraq&m=136733161405818&w=2 HP:HPSBUX02857 URL:http://marc.info/?l=bugtraq&m=136439120408139&w=2 HP:SSRT101103 URL:http://marc.info/?l=bugtraq&m=136439120408139&w=2 HP:SSRT101184 URL:http://marc.info/?l=bugtraq&m=136733161405818&w=2 HP:HPSBUX02909 URL:http://marc.info/?l=bugtraq&m=137545771702053&w=2 HP:SSRT101289 URL:http://marc.info/?l=bugtraq&m=137545771702053&w=2 HP:HPSBOV02852 URL:http://marc.info/?l=bugtraq&m=136432043316835&w=2 HP:SSRT101108 URL:http://marc.info/?l=bugtraq&m=136432043316835&w=2 MANDRIVA:MDVSA-2013:095 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2013:095 REDHAT:RHSA-2013:0587 URL:http://rhn.redhat.com/errata/RHSA-2013-0587.html REDHAT:RHSA-2013:0782 URL:http://rhn.redhat.com/errata/RHSA-2013-0782.html REDHAT:RHSA-2013:0783 URL:http://rhn.redhat.com/errata/RHSA-2013-0783.html REDHAT:RHSA-2013:1455 URL:http://rhn.redhat.com/errata/RHSA-2013-1455.html REDHAT:RHSA-2013:1456 URL:http://rhn.redhat.com/errata/RHSA-2013-1456.html REDHAT:RHSA-2013:0833 URL:http://rhn.redhat.com/errata/RHSA-2013-0833.html SUSE:SUSE-SU-2013:0328 URL:http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html SUSE:openSUSE-SU-2013:0375 URL:http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html SUSE:openSUSE-SU-2013:0378 URL:http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html SUSE:SUSE-SU-2013:0701 URL:http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html SUSE:SUSE-SU-2014:0320 URL:http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html SUSE:SUSE-SU-2015:0578 URL:http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html SUSE:openSUSE-SU-2016:0640 URL:http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html UBUNTU:USN-1735-1 URL:http://www.ubuntu.com/usn/USN-1735-1 CERT:TA13-051A URL:http://www.us-cert.gov/cas/techalerts/TA13-051A.html CERT-VN:VU#737740 URL:http://www.kb.cert.org/vuls/id/737740 BID:57778 URL:http://www.securityfocus.com/bid/57778 OVAL:oval:org.mitre.oval:def:19016 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016 OVAL:oval:org.mitre.oval:def:18841 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841 OVAL:oval:org.mitre.oval:def:19424 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424 OVAL:oval:org.mitre.oval:def:19540 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540 OVAL:oval:org.mitre.oval:def:19608 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608 SECTRACK:1029190 URL:http://www.securitytracker.com/id/1029190 SECUNIA:55108 URL:http://secunia.com/advisories/55108 SECUNIA:55139 URL:http://secunia.com/advisories/55139 SECUNIA:55322 URL:http://secunia.com/advisories/55322 SECUNIA:55351 URL:http://secunia.com/advisories/55351 SECUNIA:55350 URL:http://secunia.com/advisories/55350 SECUNIA:53623 URL:http://secunia.com/advisories/53623
Assigning CNA
N/A
Date Entry Created
20121206	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20121206)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org