The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
http://marc.info/?l=bugtraq&m=136396549913849&w=2
http://marc.info/?l=bugtraq&m=136432043316835&w=2
http://marc.info/?l=bugtraq&m=136439120408139&w=2
http://marc.info/?l=bugtraq&m=136733161405818&w=2
http://marc.info/?l=bugtraq&m=137545771702053&w=2
http://openwall.com/lists/oss-security/2013/02/05/24
http://rhn.redhat.com/errata/RHSA-2013-0587.html
http://rhn.redhat.com/errata/RHSA-2013-0782.html
http://rhn.redhat.com/errata/RHSA-2013-0783.html
http://rhn.redhat.com/errata/RHSA-2013-0833.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://secunia.com/advisories/53623
http://secunia.com/advisories/55108
http://secunia.com/advisories/55139
http://secunia.com/advisories/55322
http://secunia.com/advisories/55350
http://secunia.com/advisories/55351
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://support.apple.com/kb/HT5880
http://www.debian.org/security/2013/dsa-2621
http://www.debian.org/security/2013/dsa-2622
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
http://www.kb.cert.org/vuls/id/737740
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
http://www.matrixssl.org/news.html
http://www.openssl.org/news/secadv_20130204.txt
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
http://www.securityfocus.com/bid/57778
http://www.securitytracker.com/id/1029190
http://www.splunk.com/view/SP-CAAAHXG
http://www.ubuntu.com/usn/USN-1735-1
http://www.us-cert.gov/cas/techalerts/TA13-051A.html
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
https://puppet.com/security/cve/cve-2013-0169
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084
OR
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 0.9.8 to 0.9.8x (inclusive)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.0.0 to 1.0.0j (inclusive)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.0.1 to 1.0.1d (inclusive)
OR
cpe:2.3:a:oracle:openjdk:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:openjdk:1.6.0:*:*:*:*:*:*:*
OR
cpe:2.3:a:polarssl:polarssl:0.10.0:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.10.1:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.11.0:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.11.1:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.12.0:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.12.1:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.13.1:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.14.0:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.14.2:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.14.3:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.99:pre1:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.99:pre3:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.99:pre4:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:0.99:pre5:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:1.1.0:rc0:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:1.1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:polarssl:polarssl:1.1.2:*:*:*:*:*:*:*
ID | Name | Product | Family | Severity |
---|---|---|---|---|
144298 | IBM HTTP Server 8.5.0.0 <= 8.5.0.2 / 8.0.0.0 <= 8.0.0.6 / 7.0.0.0 <= 7.0.0.27 / 6.1.0.0 <= 6.1.0.45 (491407) | Nessus | Web Servers | low |
127177 | NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl098e Multiple Vulnerabilities (NS-SA-2019-0020) | Nessus | NewStart CGSL Local Security Checks | critical |
125000 | EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1547) | Nessus | Huawei Local Security Checks | critical |
117711 | Debian DLA-1518-1 : polarssl security update | Nessus | Debian Local Security Checks | medium |
94986 | F5 Networks BIG-IP : OpenSSL vulnerability (K93600123) | Nessus | F5 Networks Local Security Checks | low |
89666 | VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2013-0009) (remote check) | Nessus | Misc. | medium |
89651 | openSUSE Security Update : libopenssl0_9_8 (openSUSE-2016-294) (DROWN) (FREAK) (POODLE) | Nessus | SuSE Local Security Checks | critical |
80719 | Oracle Solaris Third-Party Patch Update : openssl (lucky_thirteen_vulnerability_in_solaris) | Nessus | Solaris Local Security Checks | medium |
80481 | IBM Tivoli Directory Server < 6.0.0.72 / 6.1.0.55 / 6.2.0.30 / 6.3.0.22 with GSKit < 7.0.4.45 / 8.0.14.27 TLS Side-Channel Timing Information Disclosure | Nessus | Windows | low |
80197 | Juniper Junos Space < 14.1R1 Multiple Vulnerabilities (JSA10659) | Nessus | Junos Local Security Checks | high |
79738 | SuSE 11.3 Security Update : compat-openssl097g (SAT Patch Number 10033) | Nessus | SuSE Local Security Checks | medium |
79532 | OracleVM 3.2 : onpenssl (OVMSA-2014-0008) | Nessus | OracleVM Local Security Checks | critical |
79531 | OracleVM 2.2 : openssl (OVMSA-2014-0007) | Nessus | OracleVM Local Security Checks | critical |
79013 | RHEL 6 : rhevm-spice-client (RHSA-2014:0416) | Nessus | Red Hat Local Security Checks | high |
78976 | RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2013:1456) (ROBOT) | Nessus | Red Hat Local Security Checks | critical |
78975 | RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2013:1455) (BEAST) (ROBOT) | Nessus | Red Hat Local Security Checks | critical |
78952 | RHEL 6 : rhev-hypervisor6 (RHSA-2013:0636) | Nessus | Red Hat Local Security Checks | high |
78199 | F5 Networks BIG-IP : GnuTLS vulnerability (SOL15637) | Nessus | F5 Networks Local Security Checks | medium |
78198 | F5 Networks BIG-IP : TLS in Mozilla NSS vulnerability (K15630) | Nessus | F5 Networks Local Security Checks | medium |
78142 | F5 Networks BIG-IP : TLS/DTLS 'Lucky 13' vulnerability (K14190) | Nessus | F5 Networks Local Security Checks | low |
77326 | Juniper NSM < 2012.2R9 Multiple Java and Apache Vulnerabilities (JSA10642) | Nessus | Misc. | critical |
77120 | IBM Tivoli Storage Manager Server 6.3.x < 6.3.4.200 Information Disclosure | Nessus | General | low |
77118 | IBM Tivoli Storage Manager Server 6.2.x < 6.2.6.0 Multiple Vulnerabilities | Nessus | General | low |
77117 | IBM Tivoli Storage Manager Server 6.1.x Multiple Vulnerabilities | Nessus | General | low |
77116 | IBM Tivoli Storage Manager Server 5.5.x Multiple Vulnerabilities | Nessus | General | low |
76489 | Ipswitch IMail Server 11.x / 12.x < 12.3 Information Disclosure | Nessus | Misc. | low |
76303 | GLSA-201406-32 : IcedTea JDK: Multiple vulnerabilities (BEAST) (ROBOT) | Nessus | Gentoo Local Security Checks | critical |
76110 | IBM DB2 10.1 < Fix Pack 3a Multiple Vulnerabilities | Nessus | Databases | high |
74906 | openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2013:0375-1) | Nessus | SuSE Local Security Checks | critical |
74902 | openSUSE Security Update : openssl (openSUSE-SU-2013:0337-1) | Nessus | SuSE Local Security Checks | medium |
74901 | openSUSE Security Update : openssl (openSUSE-SU-2013:0336-1) | Nessus | SuSE Local Security Checks | high |
73563 | AIX OpenSSL Advisory : openssl_advisory5.asc | Nessus | AIX Local Security Checks | medium |
72139 | GLSA-201401-30 : Oracle JRE/JDK: Multiple vulnerabilities (ROBOT) | Nessus | Gentoo Local Security Checks | critical |
72037 | ESXi 5.1 < Build 1483097 Multiple Vulnerabilities (remote check) | Nessus | Misc. | low |
71169 | GLSA-201312-03 : OpenSSL: Multiple Vulnerabilities | Nessus | Gentoo Local Security Checks | high |
70879 | ESXi 5.0 < Build 1311175 Multiple Vulnerabilities (remote check) | Nessus | Misc. | medium |
70486 | GLSA-201310-10 : PolarSSL: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | medium |
70460 | Oracle Database Multiple Vulnerabilities (October 2013 CPU) (BEAST) | Nessus | Databases | medium |
70022 | IBM WebSphere Application Server 6.1 < Fix Pack 47 Multiple Vulnerabilities | Nessus | Web Servers | critical |
69987 | Junos Pulse Secure IVE / UAC OS Multiple SSL Vulnerabilities | Nessus | Misc. | high |
8008 | Mac OS X 10.8 < 10.8.5 Multiple Vulnerabilities (Security Update 2013-004) | Nessus Network Monitor | Web Clients | critical |
69878 | Mac OS X Multiple Vulnerabilities (Security Update 2013-004) | Nessus | MacOS X Local Security Checks | critical |
69877 | Mac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities | Nessus | MacOS X Local Security Checks | critical |
69730 | Amazon Linux AMI : openssl (ALAS-2013-171) | Nessus | Amazon Linux Local Security Checks | medium |
69722 | Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2013-163) | Nessus | Amazon Linux Local Security Checks | critical |
69721 | Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-162) | Nessus | Amazon Linux Local Security Checks | critical |
69449 | IBM WebSphere Application Server 8.0 < Fix Pack 7 Multiple Vulnerabilities | Nessus | Web Servers | high |
69193 | VMSA-2013-0009 : VMware vSphere, ESX and ESXi updates to third-party libraries | Nessus | VMware ESX Local Security Checks | medium |
69021 | IBM WebSphere Application Server 8.5 < Fix Pack 8.5.5 Multiple Vulnerabilities | Nessus | Web Servers | high |
68982 | IBM WebSphere Application Server 7.0 < Fix Pack 29 Multiple Vulnerabilities | Nessus | Web Servers | high |
68908 | Juniper Junos OpenSSL Multiple Vulnerabilities (JSA10575) | Nessus | Junos Local Security Checks | medium |
68768 | Oracle Linux 5 / 6 : openssl (ELSA-2013-0587) | Nessus | Oracle Linux Local Security Checks | medium |
68736 | Oracle Linux 5 / 6 : java-1.7.0-openjdk (ELSA-2013-0275) | Nessus | Oracle Linux Local Security Checks | critical |
68735 | Oracle Linux 5 : java-1.6.0-openjdk (ELSA-2013-0274) | Nessus | Oracle Linux Local Security Checks | critical |
68734 | Oracle Linux 6 : java-1.6.0-openjdk (ELSA-2013-0273) | Nessus | Oracle Linux Local Security Checks | critical |
67231 | IBM GSKit 7.x < 7.0.4.45 / 8.0.14.x < 8.0.14.27 TLS Side-Channel Timing Information Disclosure | Nessus | General | low |
66971 | JBoss Enterprise Application Platform 6.1.0 Update (RHSA-2013:0833) | Nessus | Red Hat Local Security Checks | high |
6868 | OpenSSL < 0.9.8y / 1.0.1d / 1.0.0k Multiple Vulnerabilities | Nessus Network Monitor | Web Servers | medium |
66835 | Splunk 5.0.x < 5.0.3 Multiple Vulnerabilities | Nessus | CGI abuses | medium |
66550 | RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2013:0855) | Nessus | Red Hat Local Security Checks | critical |
66440 | RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2013:0823) | Nessus | Red Hat Local Security Checks | critical |
66439 | RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2013:0822) | Nessus | Red Hat Local Security Checks | critical |
66375 | IBM WebSphere Application Server 8.5 < Fix Pack 2 Multiple Vulnerabilities | Nessus | Web Servers | critical |
66374 | IBM WebSphere Application Server 8.0 < Fix Pack 6 Multiple Vulnerabilities | Nessus | Web Servers | critical |
66270 | IBM Tivoli Endpoint Manager Server < 8.2.1372 Multiple Vulnerabilities | Nessus | CGI abuses | medium |
66198 | SuSE 10 Security Update : java-1_6_0-ibm (ZYPP Patch Number 8544) | Nessus | SuSE Local Security Checks | critical |
66194 | SuSE 11.2 Security Update : IBM Java (SAT Patch Number 7627) | Nessus | SuSE Local Security Checks | critical |
66107 | Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:095) | Nessus | Mandriva Local Security Checks | critical |
66066 | Mandriva Linux Security Advisory : openssl (MDVSA-2013:052) | Nessus | Mandriva Local Security Checks | medium |
66031 | SuSE 11.2 Security Update : java-1_7_0-ibm (SAT Patch Number 7623) | Nessus | SuSE Local Security Checks | critical |
65842 | FreeBSD : FreeBSD -- OpenSSL multiple vulnerabilities (69bfc852-9bd0-11e2-a7be-8c705af55518) | Nessus | FreeBSD Local Security Checks | medium |
65776 | Fedora 18 : mingw-openssl-1.0.1e-1.fc18 (2013-4403) | Nessus | Fedora Local Security Checks | low |
65719 | SuSE 10 Security Update : OpenSSL (ZYPP Patch Number 8517) | Nessus | SuSE Local Security Checks | medium |
65718 | SuSE 11.2 Security Update : OpenSSL (SAT Patch Number 7548) | Nessus | SuSE Local Security Checks | medium |
65690 | stunnel 4.21 - 4.54 Multiple Vulnerabilities | Nessus | Windows | medium |
65684 | Ubuntu 12.04 LTS / 12.10 : openssl vulnerability (USN-1732-3) | Nessus | Ubuntu Local Security Checks | medium |
65081 | Fedora 17 : openssl-1.0.0k-1.fc17 (2013-2793) | Nessus | Fedora Local Security Checks | medium |
65061 | CentOS 5 / 6 : openssl (CESA-2013:0587) | Nessus | CentOS Local Security Checks | medium |
65022 | Scientific Linux Security Update : openssl on SL5.x, SL6.x i386/x86_64 (20130304) | Nessus | Scientific Linux Local Security Checks | medium |
65004 | RHEL 5 / 6 : openssl (RHSA-2013:0587) | Nessus | Red Hat Local Security Checks | medium |
64982 | Fedora 18 : openssl-1.0.1e-3.fc18 (2013-2834) | Nessus | Fedora Local Security Checks | medium |
64968 | Ubuntu 12.04 LTS / 12.10 : openssl regression (USN-1732-2) | Nessus | Ubuntu Local Security Checks | medium |
64896 | CentOS 5 : java-1.6.0-openjdk (CESA-2013:0274) | Nessus | CentOS Local Security Checks | critical |
64863 | SuSE 11.2 Security Update : Java (SAT Patch Number 7385) | Nessus | SuSE Local Security Checks | critical |
64861 | Mandriva Linux Security Advisory : java-1.6.0-openjdk (MDVSA-2013:014) | Nessus | Mandriva Local Security Checks | critical |
64851 | Oracle Java SE Multiple Vulnerabilities (February 2013 CPU Update 1) (Unix) | Nessus | Misc. | critical |
64801 | Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : openjdk-6, openjdk-7 vulnerabilities (USN-1735-1) | Nessus | Ubuntu Local Security Checks | critical |
64798 | Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : openssl vulnerabilities (USN-1732-1) | Nessus | Ubuntu Local Security Checks | medium |
64790 | Oracle Java SE Multiple Vulnerabilities (February 2013 CPU Update 1) | Nessus | Windows | critical |
64775 | RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:0532) | Nessus | Red Hat Local Security Checks | critical |
64774 | RHEL 5 / 6 : java-1.6.0-sun (RHSA-2013:0531) | Nessus | Red Hat Local Security Checks | critical |
64748 | RHEL 5 / 6 : java-1.7.0-openjdk (RHSA-2013:0275) | Nessus | Red Hat Local Security Checks | critical |
64747 | RHEL 5 : java-1.6.0-openjdk (RHSA-2013:0274) | Nessus | Red Hat Local Security Checks | critical |
64746 | RHEL 6 : java-1.6.0-openjdk (RHSA-2013:0273) | Nessus | Red Hat Local Security Checks | critical |
64731 | CentOS 5 / 6 : java-1.7.0-openjdk (CESA-2013:0275) | Nessus | CentOS Local Security Checks | critical |
64730 | CentOS 6 : java-1.6.0-openjdk (CESA-2013:0273) | Nessus | CentOS Local Security Checks | critical |
64624 | Debian DSA-2622-1 : polarssl - several vulnerabilities | Nessus | Debian Local Security Checks | medium |
64623 | Debian DSA-2621-1 : openssl - several vulnerabilities | Nessus | Debian Local Security Checks | medium |
64620 | OpenSSL 1.0.1 < 1.0.1e Information Disclosure | Nessus | Web Servers | low |
64535 | Slackware 12.1 / 12.2 / 13.0 / 13.1 / 13.37 / 14.0 / current : openssl (SSA:2013-040-01) | Nessus | Slackware Local Security Checks | medium |
64534 | OpenSSL 1.0.1 < 1.0.1d Multiple Vulnerabilities | Nessus | Web Servers | low |
64533 | OpenSSL 1.0.0 < 1.0.0k Multiple Vulnerabilities | Nessus | Web Servers | low |
64532 | OpenSSL < 0.9.8y Multiple Vulnerabilities | Nessus | Web Servers | low |
64488 | FreeBSD : OpenSSL -- TLS 1.1, 1.2 denial of service (00b0d8cd-7097-11e2-98d9-003067c2616f) | Nessus | FreeBSD Local Security Checks | medium |
6699 | Oracle Java SE Multiple Vulnerabilities (February 2013 CPU Update 1) | Nessus Network Monitor | Web Clients | critical |