Detections
Analytics
CVE-2013-0169
medium
Description
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
References
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001
https://puppet.com/security/cve/cve-2013-0169
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
http://www.us-cert.gov/cas/techalerts/TA13-051A.html
http://www.ubuntu.com/usn/USN-1735-1
http://www.splunk.com/view/SP-CAAAHXG
http://www.securitytracker.com/id/1029190
http://www.securityfocus.com/bid/57778
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
http://www.matrixssl.org/news.html
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
http://www.kb.cert.org/vuls/id/737740
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
http://www.debian.org/security/2013/dsa-2622
http://www.debian.org/security/2013/dsa-2621
http://www-01.ibm.com/support/docview.wss?uid=swg21644047
http://support.apple.com/kb/HT5880
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://secunia.com/advisories/55351
http://secunia.com/advisories/55350
http://secunia.com/advisories/55322
http://secunia.com/advisories/55139
http://secunia.com/advisories/55108
http://secunia.com/advisories/53623
http://rhn.redhat.com/errata/RHSA-2013-1456.html
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://rhn.redhat.com/errata/RHSA-2013-0833.html
http://rhn.redhat.com/errata/RHSA-2013-0783.html
http://rhn.redhat.com/errata/RHSA-2013-0782.html
http://rhn.redhat.com/errata/RHSA-2013-0587.html
http://marc.info/?l=bugtraq&m=137545771702053&w=2
http://marc.info/?l=bugtraq&m=136733161405818&w=2
http://marc.info/?l=bugtraq&m=136439120408139&w=2
http://marc.info/?l=bugtraq&m=136432043316835&w=2
http://marc.info/?l=bugtraq&m=136396549913849&w=2
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
https://medium.com/tenable-techblog/meltdown-of-critical-ics-vulnerabilities-8af3a1a13e6a
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841