CVE-2013-0169

LOW

Description

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

References

http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/

http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html

http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html

http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html

http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html

http://marc.info/?l=bugtraq&m=136396549913849&w=2

http://marc.info/?l=bugtraq&m=136432043316835&w=2

http://marc.info/?l=bugtraq&m=136439120408139&w=2

http://marc.info/?l=bugtraq&m=136733161405818&w=2

http://marc.info/?l=bugtraq&m=137545771702053&w=2

http://openwall.com/lists/oss-security/2013/02/05/24

http://rhn.redhat.com/errata/RHSA-2013-0587.html

http://rhn.redhat.com/errata/RHSA-2013-0782.html

http://rhn.redhat.com/errata/RHSA-2013-0783.html

http://rhn.redhat.com/errata/RHSA-2013-0833.html

http://rhn.redhat.com/errata/RHSA-2013-1455.html

http://rhn.redhat.com/errata/RHSA-2013-1456.html

http://secunia.com/advisories/53623

http://secunia.com/advisories/55108

http://secunia.com/advisories/55139

http://secunia.com/advisories/55322

http://secunia.com/advisories/55350

http://secunia.com/advisories/55351

http://security.gentoo.org/glsa/glsa-201406-32.xml

http://support.apple.com/kb/HT5880

http://www.debian.org/security/2013/dsa-2621

http://www.debian.org/security/2013/dsa-2622

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

http://www.kb.cert.org/vuls/id/737740

http://www.mandriva.com/security/advisories?name=MDVSA-2013:095

http://www.matrixssl.org/news.html

http://www.openssl.org/news/secadv_20130204.txt

http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

http://www.securityfocus.com/bid/57778

http://www.securitytracker.com/id/1029190

http://www.splunk.com/view/SP-CAAAHXG

http://www.ubuntu.com/usn/USN-1735-1

http://www.us-cert.gov/cas/techalerts/TA13-051A.html

http://www-01.ibm.com/support/docview.wss?uid=swg21644047

https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf

https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608

https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released

https://puppet.com/security/cve/cve-2013-0169

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001

https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084

Details

Source: MITRE

Published: 2013-02-08

Updated: 2019-10-09

Type: CWE-310

Risk Information

CVSS v2.0

Base Score: 2.6

Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 4.9

Severity: LOW

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 0.9.8 to 0.9.8x (inclusive)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.0.0 to 1.0.0j (inclusive)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.0.1 to 1.0.1d (inclusive)

Configuration 2

OR

cpe:2.3:a:oracle:openjdk:-:*:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:1.6.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:1.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:1.8.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:polarssl:polarssl:0.10.0:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.10.1:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.11.0:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.11.1:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.12.0:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.12.1:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.13.1:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.14.0:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.14.2:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.14.3:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.99:pre1:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.99:pre3:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.99:pre4:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:0.99:pre5:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:1.1.0:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:1.1.0:rc0:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:1.1.0:rc1:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:1.1.1:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:1.1.2:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:1.1.3:*:*:*:*:*:*:*

cpe:2.3:a:polarssl:polarssl:1.1.4:*:*:*:*:*:*:*

Tenable Plugins

View all (105 total)

IDNameProductFamilySeverity
144298IBM HTTP Server 8.5.0.0 <= 8.5.0.2 / 8.0.0.0 <= 8.0.0.6 / 7.0.0.0 <= 7.0.0.27 / 6.1.0.0 <= 6.1.0.45 (491407)NessusWeb Servers
low
127177NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl098e Multiple Vulnerabilities (NS-SA-2019-0020)NessusNewStart CGSL Local Security Checks
critical
125000EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1547)NessusHuawei Local Security Checks
critical
117711Debian DLA-1518-1 : polarssl security updateNessusDebian Local Security Checks
medium
94986F5 Networks BIG-IP : OpenSSL vulnerability (K93600123)NessusF5 Networks Local Security Checks
low
89666VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2013-0009) (remote check)NessusMisc.
medium
89651openSUSE Security Update : libopenssl0_9_8 (openSUSE-2016-294) (DROWN) (FREAK) (POODLE)NessusSuSE Local Security Checks
critical
80719Oracle Solaris Third-Party Patch Update : openssl (lucky_thirteen_vulnerability_in_solaris)NessusSolaris Local Security Checks
medium
80481IBM Tivoli Directory Server < 6.0.0.72 / 6.1.0.55 / 6.2.0.30 / 6.3.0.22 with GSKit < 7.0.4.45 / 8.0.14.27 TLS Side-Channel Timing Information DisclosureNessusWindows
low
80197Juniper Junos Space < 14.1R1 Multiple Vulnerabilities (JSA10659)NessusJunos Local Security Checks
high
79738SuSE 11.3 Security Update : compat-openssl097g (SAT Patch Number 10033)NessusSuSE Local Security Checks
medium
79532OracleVM 3.2 : onpenssl (OVMSA-2014-0008)NessusOracleVM Local Security Checks
critical
79531OracleVM 2.2 : openssl (OVMSA-2014-0007)NessusOracleVM Local Security Checks
critical
79013RHEL 6 : rhevm-spice-client (RHSA-2014:0416)NessusRed Hat Local Security Checks
high
78976RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2013:1456) (ROBOT)NessusRed Hat Local Security Checks
critical
78975RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2013:1455) (BEAST) (ROBOT)NessusRed Hat Local Security Checks
critical
78952RHEL 6 : rhev-hypervisor6 (RHSA-2013:0636)NessusRed Hat Local Security Checks
high
78199F5 Networks BIG-IP : GnuTLS vulnerability (SOL15637)NessusF5 Networks Local Security Checks
medium
78198F5 Networks BIG-IP : TLS in Mozilla NSS vulnerability (K15630)NessusF5 Networks Local Security Checks
medium
78142F5 Networks BIG-IP : TLS/DTLS 'Lucky 13' vulnerability (K14190)NessusF5 Networks Local Security Checks
low
77326Juniper NSM < 2012.2R9 Multiple Java and Apache Vulnerabilities (JSA10642)NessusMisc.
critical
77120IBM Tivoli Storage Manager Server 6.3.x < 6.3.4.200 Information DisclosureNessusGeneral
low
77118IBM Tivoli Storage Manager Server 6.2.x < 6.2.6.0 Multiple VulnerabilitiesNessusGeneral
low
77117IBM Tivoli Storage Manager Server 6.1.x Multiple VulnerabilitiesNessusGeneral
low
77116IBM Tivoli Storage Manager Server 5.5.x Multiple VulnerabilitiesNessusGeneral
low
76489Ipswitch IMail Server 11.x / 12.x < 12.3 Information DisclosureNessusMisc.
low
76303GLSA-201406-32 : IcedTea JDK: Multiple vulnerabilities (BEAST) (ROBOT)NessusGentoo Local Security Checks
critical
76110IBM DB2 10.1 < Fix Pack 3a Multiple VulnerabilitiesNessusDatabases
high
74906openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2013:0375-1)NessusSuSE Local Security Checks
critical
74902openSUSE Security Update : openssl (openSUSE-SU-2013:0337-1)NessusSuSE Local Security Checks
medium
74901openSUSE Security Update : openssl (openSUSE-SU-2013:0336-1)NessusSuSE Local Security Checks
high
73563AIX OpenSSL Advisory : openssl_advisory5.ascNessusAIX Local Security Checks
medium
72139GLSA-201401-30 : Oracle JRE/JDK: Multiple vulnerabilities (ROBOT)NessusGentoo Local Security Checks
critical
72037ESXi 5.1 < Build 1483097 Multiple Vulnerabilities (remote check)NessusMisc.
low
71169GLSA-201312-03 : OpenSSL: Multiple VulnerabilitiesNessusGentoo Local Security Checks
high
70879ESXi 5.0 < Build 1311175 Multiple Vulnerabilities (remote check)NessusMisc.
medium
70486GLSA-201310-10 : PolarSSL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
70460Oracle Database Multiple Vulnerabilities (October 2013 CPU) (BEAST)NessusDatabases
medium
70022IBM WebSphere Application Server 6.1 < Fix Pack 47 Multiple VulnerabilitiesNessusWeb Servers
critical
69987Junos Pulse Secure IVE / UAC OS Multiple SSL VulnerabilitiesNessusMisc.
high
8008Mac OS X 10.8 < 10.8.5 Multiple Vulnerabilities (Security Update 2013-004)Nessus Network MonitorWeb Clients
critical
69878Mac OS X Multiple Vulnerabilities (Security Update 2013-004)NessusMacOS X Local Security Checks
critical
69877Mac OS X 10.8.x < 10.8.5 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
69730Amazon Linux AMI : openssl (ALAS-2013-171)NessusAmazon Linux Local Security Checks
medium
69722Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2013-163)NessusAmazon Linux Local Security Checks
critical
69721Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-162)NessusAmazon Linux Local Security Checks
critical
69449IBM WebSphere Application Server 8.0 < Fix Pack 7 Multiple VulnerabilitiesNessusWeb Servers
high
69193VMSA-2013-0009 : VMware vSphere, ESX and ESXi updates to third-party librariesNessusVMware ESX Local Security Checks
medium
69021IBM WebSphere Application Server 8.5 < Fix Pack 8.5.5 Multiple VulnerabilitiesNessusWeb Servers
high
68982IBM WebSphere Application Server 7.0 < Fix Pack 29 Multiple VulnerabilitiesNessusWeb Servers
high
68908Juniper Junos OpenSSL Multiple Vulnerabilities (JSA10575)NessusJunos Local Security Checks
medium
68768Oracle Linux 5 / 6 : openssl (ELSA-2013-0587)NessusOracle Linux Local Security Checks
medium
68736Oracle Linux 5 / 6 : java-1.7.0-openjdk (ELSA-2013-0275)NessusOracle Linux Local Security Checks
critical
68735Oracle Linux 5 : java-1.6.0-openjdk (ELSA-2013-0274)NessusOracle Linux Local Security Checks
critical
68734Oracle Linux 6 : java-1.6.0-openjdk (ELSA-2013-0273)NessusOracle Linux Local Security Checks
critical
67231IBM GSKit 7.x < 7.0.4.45 / 8.0.14.x < 8.0.14.27 TLS Side-Channel Timing Information DisclosureNessusGeneral
low
66971JBoss Enterprise Application Platform 6.1.0 Update (RHSA-2013:0833)NessusRed Hat Local Security Checks
high
6868OpenSSL < 0.9.8y / 1.0.1d / 1.0.0k Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
66835Splunk 5.0.x < 5.0.3 Multiple VulnerabilitiesNessusCGI abuses
medium
66550RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2013:0855)NessusRed Hat Local Security Checks
critical
66440RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2013:0823)NessusRed Hat Local Security Checks
critical
66439RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2013:0822)NessusRed Hat Local Security Checks
critical
66375IBM WebSphere Application Server 8.5 < Fix Pack 2 Multiple VulnerabilitiesNessusWeb Servers
critical
66374IBM WebSphere Application Server 8.0 < Fix Pack 6 Multiple VulnerabilitiesNessusWeb Servers
critical
66270IBM Tivoli Endpoint Manager Server < 8.2.1372 Multiple VulnerabilitiesNessusCGI abuses
medium
66198SuSE 10 Security Update : java-1_6_0-ibm (ZYPP Patch Number 8544)NessusSuSE Local Security Checks
critical
66194SuSE 11.2 Security Update : IBM Java (SAT Patch Number 7627)NessusSuSE Local Security Checks
critical
66107Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:095)NessusMandriva Local Security Checks
critical
66066Mandriva Linux Security Advisory : openssl (MDVSA-2013:052)NessusMandriva Local Security Checks
medium
66031SuSE 11.2 Security Update : java-1_7_0-ibm (SAT Patch Number 7623)NessusSuSE Local Security Checks
critical
65842FreeBSD : FreeBSD -- OpenSSL multiple vulnerabilities (69bfc852-9bd0-11e2-a7be-8c705af55518)NessusFreeBSD Local Security Checks
medium
65776Fedora 18 : mingw-openssl-1.0.1e-1.fc18 (2013-4403)NessusFedora Local Security Checks
low
65719SuSE 10 Security Update : OpenSSL (ZYPP Patch Number 8517)NessusSuSE Local Security Checks
medium
65718SuSE 11.2 Security Update : OpenSSL (SAT Patch Number 7548)NessusSuSE Local Security Checks
medium
65690stunnel 4.21 - 4.54 Multiple VulnerabilitiesNessusWindows
medium
65684Ubuntu 12.04 LTS / 12.10 : openssl vulnerability (USN-1732-3)NessusUbuntu Local Security Checks
medium
65081Fedora 17 : openssl-1.0.0k-1.fc17 (2013-2793)NessusFedora Local Security Checks
medium
65061CentOS 5 / 6 : openssl (CESA-2013:0587)NessusCentOS Local Security Checks
medium
65022Scientific Linux Security Update : openssl on SL5.x, SL6.x i386/x86_64 (20130304)NessusScientific Linux Local Security Checks
medium
65004RHEL 5 / 6 : openssl (RHSA-2013:0587)NessusRed Hat Local Security Checks
medium
64982Fedora 18 : openssl-1.0.1e-3.fc18 (2013-2834)NessusFedora Local Security Checks
medium
64968Ubuntu 12.04 LTS / 12.10 : openssl regression (USN-1732-2)NessusUbuntu Local Security Checks
medium
64896CentOS 5 : java-1.6.0-openjdk (CESA-2013:0274)NessusCentOS Local Security Checks
critical
64863SuSE 11.2 Security Update : Java (SAT Patch Number 7385)NessusSuSE Local Security Checks
critical
64861Mandriva Linux Security Advisory : java-1.6.0-openjdk (MDVSA-2013:014)NessusMandriva Local Security Checks
critical
64851Oracle Java SE Multiple Vulnerabilities (February 2013 CPU Update 1) (Unix)NessusMisc.
critical
64801Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : openjdk-6, openjdk-7 vulnerabilities (USN-1735-1)NessusUbuntu Local Security Checks
critical
64798Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : openssl vulnerabilities (USN-1732-1)NessusUbuntu Local Security Checks
medium
64790Oracle Java SE Multiple Vulnerabilities (February 2013 CPU Update 1)NessusWindows
critical
64775RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0532)NessusRed Hat Local Security Checks
critical
64774RHEL 5 / 6 : java-1.6.0-sun (RHSA-2013:0531)NessusRed Hat Local Security Checks
critical
64748RHEL 5 / 6 : java-1.7.0-openjdk (RHSA-2013:0275)NessusRed Hat Local Security Checks
critical
64747RHEL 5 : java-1.6.0-openjdk (RHSA-2013:0274)NessusRed Hat Local Security Checks
critical
64746RHEL 6 : java-1.6.0-openjdk (RHSA-2013:0273)NessusRed Hat Local Security Checks
critical
64731CentOS 5 / 6 : java-1.7.0-openjdk (CESA-2013:0275)NessusCentOS Local Security Checks
critical
64730CentOS 6 : java-1.6.0-openjdk (CESA-2013:0273)NessusCentOS Local Security Checks
critical
64624Debian DSA-2622-1 : polarssl - several vulnerabilitiesNessusDebian Local Security Checks
medium
64623Debian DSA-2621-1 : openssl - several vulnerabilitiesNessusDebian Local Security Checks
medium
64620OpenSSL 1.0.1 < 1.0.1e Information DisclosureNessusWeb Servers
low
64535Slackware 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / 14.0 / current : openssl (SSA:2013-040-01)NessusSlackware Local Security Checks
medium
64534OpenSSL 1.0.1 < 1.0.1d Multiple VulnerabilitiesNessusWeb Servers
low
64533OpenSSL 1.0.0 < 1.0.0k Multiple VulnerabilitiesNessusWeb Servers
low
64532OpenSSL < 0.9.8y Multiple VulnerabilitiesNessusWeb Servers
low
64488FreeBSD : OpenSSL -- TLS 1.1, 1.2 denial of service (00b0d8cd-7097-11e2-98d9-003067c2616f)NessusFreeBSD Local Security Checks
medium
6699Oracle Java SE Multiple Vulnerabilities (February 2013 CPU Update 1)Nessus Network MonitorWeb Clients
critical