CVE-2013-0169
Summary
| CVE | CVE-2013-0169 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2013-02-08 19:55:00 UTC |
| Updated | 2023-05-12 12:58:00 UTC |
| Description | The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. |
Risk And Classification
Problem Types: CWE-310
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Openssl | Openssl | All | All | All | All |
| Application | Openssl | Openssl | All | All | All | All |
| Application | Openssl | Openssl | All | All | All | All |
| Application | Oracle | Openjdk | - | All | All | All |
| Application | Oracle | Openjdk | 1.6.0 | All | All | All |
| Application | Oracle | Openjdk | 1.6.0 | - | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update1 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update10 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update11 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update12 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update13 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update14 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update15 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update16 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update17 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update18 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update19 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update2 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update20 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update21 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update22 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update23 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update24 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update25 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update26 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update27 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update29 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update3 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update30 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update31 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update32 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update33 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update34 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update35 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update37 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update38 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update4 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update5 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update6 | All | All |
| Application | Oracle | Openjdk | 1.6.0 | update7 | All | All |
| Application | Oracle | Openjdk | 1.7.0 | All | All | All |
| Application | Oracle | Openjdk | 1.7.0 | - | All | All |
| Application | Oracle | Openjdk | 1.7.0 | update1 | All | All |
| Application | Oracle | Openjdk | 1.7.0 | update10 | All | All |
| Application | Oracle | Openjdk | 1.7.0 | update11 | All | All |
| Application | Oracle | Openjdk | 1.7.0 | update13 | All | All |
| Application | Oracle | Openjdk | 1.7.0 | update2 | All | All |
| Application | Oracle | Openjdk | 1.7.0 | update3 | All | All |
| Application | Oracle | Openjdk | 1.7.0 | update4 | All | All |
| Application | Oracle | Openjdk | 1.7.0 | update5 | All | All |
| Application | Oracle | Openjdk | 1.7.0 | update6 | All | All |
| Application | Oracle | Openjdk | 1.7.0 | update7 | All | All |
| Application | Oracle | Openjdk | 1.7.0 | update9 | All | All |
| Application | Oracle | Openjdk | 1.8.0 | All | All | All |
| Application | Oracle | Openjdk | - | All | All | All |
| Application | Oracle | Openjdk | 1.6.0 | All | All | All |
| Application | Oracle | Openjdk | 1.7.0 | All | All | All |
| Application | Oracle | Openjdk | 1.8.0 | All | All | All |
| Application | Polarssl | Polarssl | 0.10.0 | All | All | All |
| Application | Polarssl | Polarssl | 0.10.1 | All | All | All |
| Application | Polarssl | Polarssl | 0.11.0 | All | All | All |
| Application | Polarssl | Polarssl | 0.11.1 | All | All | All |
| Application | Polarssl | Polarssl | 0.12.0 | All | All | All |
| Application | Polarssl | Polarssl | 0.12.1 | All | All | All |
| Application | Polarssl | Polarssl | 0.13.1 | All | All | All |
| Application | Polarssl | Polarssl | 0.14.0 | All | All | All |
| Application | Polarssl | Polarssl | 0.14.2 | All | All | All |
| Application | Polarssl | Polarssl | 0.14.3 | All | All | All |
| Application | Polarssl | Polarssl | 0.99 | pre1 | All | All |
| Application | Polarssl | Polarssl | 0.99 | pre3 | All | All |
| Application | Polarssl | Polarssl | 0.99 | pre4 | All | All |
| Application | Polarssl | Polarssl | 0.99 | pre5 | All | All |
| Application | Polarssl | Polarssl | 1.0.0 | All | All | All |
| Application | Polarssl | Polarssl | 1.1.0 | All | All | All |
| Application | Polarssl | Polarssl | 1.1.0 | rc0 | All | All |
| Application | Polarssl | Polarssl | 1.1.0 | rc1 | All | All |
| Application | Polarssl | Polarssl | 1.1.1 | All | All | All |
| Application | Polarssl | Polarssl | 1.1.2 | All | All | All |
| Application | Polarssl | Polarssl | 1.1.3 | All | All | All |
| Application | Polarssl | Polarssl | 1.1.4 | All | All | All |
| Application | Polarssl | Polarssl | 0.10.0 | All | All | All |
| Application | Polarssl | Polarssl | 0.10.1 | All | All | All |
| Application | Polarssl | Polarssl | 0.11.0 | All | All | All |
| Application | Polarssl | Polarssl | 0.11.1 | All | All | All |
| Application | Polarssl | Polarssl | 0.12.0 | All | All | All |
| Application | Polarssl | Polarssl | 0.12.1 | All | All | All |
| Application | Polarssl | Polarssl | 0.13.1 | All | All | All |
| Application | Polarssl | Polarssl | 0.14.0 | All | All | All |
| Application | Polarssl | Polarssl | 0.14.2 | All | All | All |
| Application | Polarssl | Polarssl | 0.14.3 | All | All | All |
| Application | Polarssl | Polarssl | 0.99 | pre1 | All | All |
| Application | Polarssl | Polarssl | 0.99 | pre3 | All | All |
| Application | Polarssl | Polarssl | 0.99 | pre4 | All | All |
| Application | Polarssl | Polarssl | 0.99 | pre5 | All | All |
| Application | Polarssl | Polarssl | 1.0.0 | All | All | All |
| Application | Polarssl | Polarssl | 1.1.0 | All | All | All |
| Application | Polarssl | Polarssl | 1.1.0 | rc0 | All | All |
| Application | Polarssl | Polarssl | 1.1.0 | rc1 | All | All |
| Application | Polarssl | Polarssl | 1.1.1 | All | All | All |
| Application | Polarssl | Polarssl | 1.1.2 | All | All | All |
| Application | Polarssl | Polarssl | 1.1.3 | All | All | All |
| Application | Polarssl | Polarssl | 1.1.4 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Repository / Oval Repository | OVAL | oval.cisecurity.org | Tool Signature |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | Third Party Advisory |
| Java CPU Feb 2013 Update | CONFIRM | www.oracle.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | Third Party Advisory |
| [security-announce] SUSE-SU-2014:0320-1: critical: Security update for g | SUSE | lists.opensuse.org | Third Party Advisory |
| Splunk 5.0.3 addresses multiple vulnerabilities - May 28, 2013 | Splunk | CONFIRM | www.splunk.com | Third Party Advisory |
| Support / Security / Advisories / / MDVSA-2013:095 | Mandriva | MANDRIVA | www.mandriva.com | Third Party Advisory |
| Future home of matrixssl.org | CONFIRM | www.matrixssl.org | Third Party Advisory |
| Repository / Oval Repository | OVAL | oval.cisecurity.org | Tool Signature |
| Oracle Java Multiple Vulnerabilities | US-CERT | CERT | www.us-cert.gov | Third Party Advisory, US Government Resource |
| APPLE-SA-2013-09-12-1 OS X Mountain Lion v10.8.5 and Security Update 2013-004 | APPLE | lists.apple.com | Mailing List, Third Party Advisory |
| [security-announce] SUSE-SU-2013:0701-1: important: Security update for | SUSE | lists.opensuse.org | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | Third Party Advisory |
| Security Advisory SA55108 - IBM Tivoli Storage Productivity Center Multiple Vulnerabilities - Secunia | SECUNIA | secunia.com | Third Party Advisory |
| [security-announce] SUSE-SU-2015:0578-1: important: Security update for | SUSE | lists.opensuse.org | Third Party Advisory |
| [SECURITY] Fedora 18 Update: mingw-openssl-1.0.1e-1.fc18 | FEDORA | lists.fedoraproject.org | Third Party Advisory |
| /err404.html | CONFIRM | www.openssl.org | Vendor Advisory |
| About Secunia Research | Flexera | SECUNIA | secunia.com | Third Party Advisory |
| PolarSSL 1.2.5 released - Tech Updates | CONFIRM | polarssl.org | Vendor Advisory |
| cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf | CONFIRM | cert-portal.siemens.com | Third Party Advisory |
| IBM Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.7 - United States | CONFIRM | www-01.ibm.com | Third Party Advisory |
| Security Advisory SA53623 - Splunk Cross-Site Scripting and OpenSSL Vulnerabilities - Secunia | SECUNIA | secunia.com | Third Party Advisory |
| Debian -- Security Information -- DSA-2621-1 openssl | DEBIAN | www.debian.org | Third Party Advisory |
| About the security content of OS X Mountain Lion v10.8.5 and Security Update 2013-004 | CONFIRM | support.apple.com | Third Party Advisory |
| '[security bulletin] HPSBUX02857 SSRT101103 rev.1 - HP-UX Running Java, Remote Unauthorized Access, D' - MARC | HP | marc.info | Third Party Advisory |
| CVE-2013-0169 | Puppet | CONFIRM | puppet.com | Third Party Advisory |
| '[security bulletin] HPSBMU02874 SSRT101184 rev.1 - HP Service Manager, Java Runtime Environment (JRE' - MARC | HP | marc.info | Third Party Advisory |
| Repository / Oval Repository | OVAL | oval.cisecurity.org | Tool Signature |
| Security Advisory SA55351 - Oracle Forms and Reports Two Weaknesses - Secunia | SECUNIA | secunia.com | Third Party Advisory |
| [security-announce] openSUSE-SU-2013:0378-1: important: java-1_6_0-openj | SUSE | lists.opensuse.org | Third Party Advisory |
| '[security bulletin] HPSBUX02856 SSRT101104 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (' - MARC | HP | marc.info | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | Third Party Advisory |
| [security-announce] SUSE-SU-2013:0328-1: important: Security update for | SUSE | lists.opensuse.org | Third Party Advisory |
| Gentoo Linux Documentation -- IcedTea JDK: Multiple vulnerabilities | GENTOO | security.gentoo.org | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | Third Party Advisory |
| [security-announce] openSUSE-SU-2016:0640-1: important: Security update | SUSE | lists.opensuse.org | Third Party Advisory |
| Security Advisory SA55139 - IBM Initiate Master Data Service / InfoSphere Master Data Management OpenSSL Vulnerabilities - Secunia | SECUNIA | secunia.com | Third Party Advisory |
| USN-1735-1: OpenJDK vulnerabilities | Ubuntu | UBUNTU | www.ubuntu.com | Third Party Advisory |
| GNU/Andrew’s Blog » [SECURITY] IcedTea 2.1.6, 2.2.6 & 2.3.7 for OpenJDK 7 Released! | MISC | blog.fuseyism.com | Third Party Advisory |
| Support/Advisories/MGASA-2013-0084 - Mageia wiki | CONFIRM | wiki.mageia.org | Third Party Advisory |
| '[security bulletin] HPSBOV02852 SSRT101108 rev.1 - HP SSL for OpenVMS, Remote Denial of Service (DoS' - MARC | HP | marc.info | Third Party Advisory |
| Multiple TLS And DTLS Implementations CVE-2013-0169 Information Disclosure Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Debian -- Security Information -- DSA-2622-1 polarssl | DEBIAN | www.debian.org | Third Party Advisory |
| Repository / Oval Repository | OVAL | oval.cisecurity.org | Tool Signature |
| Repository / Oval Repository | OVAL | oval.cisecurity.org | Third Party Advisory |
| [security-announce] openSUSE-SU-2013:0375-1: important: java-1_6_0-openj | SUSE | lists.opensuse.org | Third Party Advisory |
| oss-security - Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations | MLIST | openwall.com | Mailing List |
| Oracle Fusion Middleware Flaws Let Remote Users Deny Service and Partially Access and Modify Data - SecurityTracker | SECTRACK | www.securitytracker.com | Third Party Advisory, VDB Entry |
| www.isg.rhul.ac.uk/tls/TLStiming.pdf | MISC | www.isg.rhul.ac.uk | Third Party Advisory |
| '[security bulletin] HPSBUX02909 SSRT101289 rev.1 - HP-UX Apache Web Server, Remote Denial of Service' - MARC | HP | marc.info | Third Party Advisory |
| [SECURITY] [DLA 1518-1] polarssl security update | MLIST | lists.debian.org | Third Party Advisory |
| Security Advisory SA55350 - Oracle Fusion Middleware Two Information Disclosure Weaknesses - Secunia | SECUNIA | secunia.com | Third Party Advisory |
| Vulnerability Note VU#737740 - Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL | CERT-VN | www.kb.cert.org | Third Party Advisory, US Government Resource |
| Document Display | HPE Support Center | CONFIRM | support.hpe.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 390226 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2021-0011)
- 390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)
- 591350 General Electric D20MX Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (PRSN-0006)