ID CVE-2013-0169
Summary The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
References
Vulnerable Configurations
  • cpe:2.3:a:openssl:openssl:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0:beta4:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0:beta4:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0:beta5:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0:beta5:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0c:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0c:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0d:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0d:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0e:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0e:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0f:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0f:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0g:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0g:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0h:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0h:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0i:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0i:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.0j:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.0j:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8:-:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8:-:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8:beta1:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8:beta2:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8:beta3:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8:beta4:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8:beta4:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8:beta5:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8:beta5:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8:beta6:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8:beta6:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8c-1:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8c-1:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8g-9:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8g-9:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8h:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8h:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8i:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8i:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8j:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8j:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8k:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8k:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8l:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8l:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8m:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8m:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8m:-:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8m:-:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8m:beta1:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8m:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8n:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8n:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8o:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8o:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8p:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8p:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8q:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8q:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8r:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8r:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8s:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8s:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8t:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8t:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8u:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8u:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8v:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8v:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8w:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8w:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8x:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8x:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.1:-:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.1:-:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.7.0:-:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.7.0:-:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.7.0:update2:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.7.0:update2:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.7.0:update3:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.7.0:update3:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.7.0:update4:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.7.0:update4:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.7.0:update5:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.7.0:update5:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.7.0:update6:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.7.0:update6:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.7.0:update7:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.7.0:update7:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.7.0:update9:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.7.0:update9:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.7.0:update10:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.7.0:update10:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.7.0:update11:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.7.0:update11:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.7.0:update13:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.7.0:update13:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update34:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update34:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update35:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update35:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update37:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update37:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update38:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update38:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:-:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:-:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update2:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update2:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update3:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update3:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update4:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update4:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update5:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update5:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update6:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update6:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update7:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update7:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update11:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update11:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update12:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update12:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update13:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update13:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update14:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update14:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update15:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update15:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update16:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update16:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update17:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update17:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update18:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update18:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update19:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update19:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update20:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update20:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update21:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update21:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update22:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update22:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update23:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update23:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update24:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update24:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update25:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update25:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update26:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update26:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update27:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update27:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update29:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update29:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update30:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update30:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update31:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update31:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update32:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update32:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update33:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update33:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.7.0:update1:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.7.0:update1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update1:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update1:*:*:*:*:*:*
  • cpe:2.3:a:oracle:openjdk:1.6.0:update10:*:*:*:*:*:*
    cpe:2.3:a:oracle:openjdk:1.6.0:update10:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.14.2:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.14.2:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.13.1:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.13.1:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:1.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:1.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.12.1:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.12.1:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.99:pre3:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.99:pre3:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.99:pre5:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.99:pre5:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:1.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:1.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.14.0:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.99:pre1:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.99:pre1:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:1.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:1.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.14.3:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.14.3:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:1.1.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:1.1.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:1.1.0:rc0:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:1.1.0:rc0:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.99:pre4:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.99:pre4:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.12.0:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:polarssl:polarssl:0.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:polarssl:polarssl:0.10.0:*:*:*:*:*:*:*
CVSS
Base: 2.6 (as of 12-05-2023 - 12:58)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:H/Au:N/C:P/I:N/A:N
oval via4
  • accepted 2015-04-20T04:00:46.294-04:00
    class vulnerability
    contributors
    • name Ganesh Manal
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
    family unix
    id oval:org.mitre.oval:def:18841
    status accepted
    submitted 2013-11-22T11:43:28.000-05:00
    title HP-UX Running OpenSSL, Remote Denial of Service (DoS) and Unauthorized Disclosure
    version 49
  • accepted 2015-05-04T04:00:13.938-04:00
    class vulnerability
    contributors
    • name Sergey Artykhov
      organization ALTX-SOFT
    • name Maria Mikhno
      organization ALTX-SOFT
    definition_extensions
    comment VisualSVN Server is installed
    oval oval:org.mitre.oval:def:18636
    description The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
    family windows
    id oval:org.mitre.oval:def:19016
    status accepted
    submitted 2013-10-02T13:00:00
    title OpenSSL vulnerability before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d in VisualSVN Server (CVE-2013-0169)
    version 9
  • accepted 2015-04-20T04:01:16.047-04:00
    class vulnerability
    contributors
    • name Ganesh Manal
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
    family unix
    id oval:org.mitre.oval:def:19424
    status accepted
    submitted 2013-11-22T11:43:28.000-05:00
    title HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
    version 48
  • accepted 2015-04-20T04:01:27.840-04:00
    class vulnerability
    contributors
    • name Ganesh Manal
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
    family unix
    id oval:org.mitre.oval:def:19540
    status accepted
    submitted 2013-11-22T11:43:28.000-05:00
    title HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
    version 49
  • accepted 2014-01-20T04:00:21.328-05:00
    class vulnerability
    contributors
    • name Chandan M C
      organization Hewlett-Packard
    • name Chandan M C
      organization Hewlett-Packard
    definition_extensions
    • comment IBM AIX 5.3 is installed
      oval oval:org.mitre.oval:def:5325
    • comment IBM AIX 6.1 is installed
      oval oval:org.mitre.oval:def:5267
    • comment IBM AIX 7.1 is installed
      oval oval:org.mitre.oval:def:18828
    • comment IBM AIX 5.3 is installed
      oval oval:org.mitre.oval:def:5325
    • comment IBM AIX 6.1 is installed
      oval oval:org.mitre.oval:def:5267
    • comment IBM AIX 7.1 is installed
      oval oval:org.mitre.oval:def:18828
    description The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
    family unix
    id oval:org.mitre.oval:def:19608
    status accepted
    submitted 2013-11-18T10:06:56.357-05:00
    title Multiple OpenSSL vulnerabilities
    version 50
redhat via4
advisories
  • bugzilla
    id 908052
    title CVE-2013-0166 openssl: DoS due to improper handling of OCSP response verification
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • comment openssl is earlier than 0:0.9.8e-26.el5_9.1
            oval oval:com.redhat.rhsa:tst:20130587001
          • comment openssl is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070964002
        • AND
          • comment openssl-devel is earlier than 0:0.9.8e-26.el5_9.1
            oval oval:com.redhat.rhsa:tst:20130587003
          • comment openssl-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070964004
        • AND
          • comment openssl-perl is earlier than 0:0.9.8e-26.el5_9.1
            oval oval:com.redhat.rhsa:tst:20130587005
          • comment openssl-perl is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070964006
    • AND
      • comment Red Hat Enterprise Linux 6 is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • comment openssl is earlier than 0:1.0.0-27.el6_4.2
            oval oval:com.redhat.rhsa:tst:20130587008
          • comment openssl is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20171929002
        • AND
          • comment openssl-devel is earlier than 0:1.0.0-27.el6_4.2
            oval oval:com.redhat.rhsa:tst:20130587010
          • comment openssl-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20171929004
        • AND
          • comment openssl-perl is earlier than 0:1.0.0-27.el6_4.2
            oval oval:com.redhat.rhsa:tst:20130587012
          • comment openssl-perl is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20171929008
        • AND
          • comment openssl-static is earlier than 0:1.0.0-27.el6_4.2
            oval oval:com.redhat.rhsa:tst:20130587014
          • comment openssl-static is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhba:tst:20171929010
    rhsa
    id RHSA-2013:0587
    released 2013-03-04
    severity Moderate
    title RHSA-2013:0587: openssl security update (Moderate)
  • rhsa
    id RHSA-2013:0782
  • rhsa
    id RHSA-2013:0783
  • rhsa
    id RHSA-2013:0833
  • rhsa
    id RHSA-2013:1455
  • rhsa
    id RHSA-2013:1456
rpms
  • java-1.6.0-openjdk-1:1.6.0.0-1.56.1.11.8.el6_3
  • java-1.6.0-openjdk-debuginfo-1:1.6.0.0-1.56.1.11.8.el6_3
  • java-1.6.0-openjdk-demo-1:1.6.0.0-1.56.1.11.8.el6_3
  • java-1.6.0-openjdk-devel-1:1.6.0.0-1.56.1.11.8.el6_3
  • java-1.6.0-openjdk-javadoc-1:1.6.0.0-1.56.1.11.8.el6_3
  • java-1.6.0-openjdk-src-1:1.6.0.0-1.56.1.11.8.el6_3
  • java-1.6.0-openjdk-1:1.6.0.0-1.35.1.11.8.el5_9
  • java-1.6.0-openjdk-debuginfo-1:1.6.0.0-1.35.1.11.8.el5_9
  • java-1.6.0-openjdk-demo-1:1.6.0.0-1.35.1.11.8.el5_9
  • java-1.6.0-openjdk-devel-1:1.6.0.0-1.35.1.11.8.el5_9
  • java-1.6.0-openjdk-javadoc-1:1.6.0.0-1.35.1.11.8.el5_9
  • java-1.6.0-openjdk-src-1:1.6.0.0-1.35.1.11.8.el5_9
  • java-1.7.0-openjdk-1:1.7.0.9-2.3.7.1.el5_9
  • java-1.7.0-openjdk-1:1.7.0.9-2.3.7.1.el6_3
  • java-1.7.0-openjdk-debuginfo-1:1.7.0.9-2.3.7.1.el5_9
  • java-1.7.0-openjdk-debuginfo-1:1.7.0.9-2.3.7.1.el6_3
  • java-1.7.0-openjdk-demo-1:1.7.0.9-2.3.7.1.el5_9
  • java-1.7.0-openjdk-demo-1:1.7.0.9-2.3.7.1.el6_3
  • java-1.7.0-openjdk-devel-1:1.7.0.9-2.3.7.1.el5_9
  • java-1.7.0-openjdk-devel-1:1.7.0.9-2.3.7.1.el6_3
  • java-1.7.0-openjdk-javadoc-1:1.7.0.9-2.3.7.1.el5_9
  • java-1.7.0-openjdk-javadoc-1:1.7.0.9-2.3.7.1.el6_3
  • java-1.7.0-openjdk-src-1:1.7.0.9-2.3.7.1.el5_9
  • java-1.7.0-openjdk-src-1:1.7.0.9-2.3.7.1.el6_3
  • java-1.6.0-sun-1:1.6.0.41-1jpp.1.el5_9
  • java-1.6.0-sun-1:1.6.0.41-1jpp.1.el6_3
  • java-1.6.0-sun-demo-1:1.6.0.41-1jpp.1.el5_9
  • java-1.6.0-sun-demo-1:1.6.0.41-1jpp.1.el6_3
  • java-1.6.0-sun-devel-1:1.6.0.41-1jpp.1.el5_9
  • java-1.6.0-sun-devel-1:1.6.0.41-1jpp.1.el6_3
  • java-1.6.0-sun-jdbc-1:1.6.0.41-1jpp.1.el5_9
  • java-1.6.0-sun-jdbc-1:1.6.0.41-1jpp.1.el6_3
  • java-1.6.0-sun-plugin-1:1.6.0.41-1jpp.1.el5_9
  • java-1.6.0-sun-plugin-1:1.6.0.41-1jpp.1.el6_3
  • java-1.6.0-sun-src-1:1.6.0.41-1jpp.1.el5_9
  • java-1.6.0-sun-src-1:1.6.0.41-1jpp.1.el6_3
  • java-1.7.0-oracle-1:1.7.0.15-1jpp.1.el5_9
  • java-1.7.0-oracle-1:1.7.0.15-1jpp.1.el6_3
  • java-1.7.0-oracle-devel-1:1.7.0.15-1jpp.1.el5_9
  • java-1.7.0-oracle-devel-1:1.7.0.15-1jpp.1.el6_3
  • java-1.7.0-oracle-javafx-1:1.7.0.15-1jpp.1.el5_9
  • java-1.7.0-oracle-javafx-1:1.7.0.15-1jpp.1.el6_3
  • java-1.7.0-oracle-jdbc-1:1.7.0.15-1jpp.1.el5_9
  • java-1.7.0-oracle-jdbc-1:1.7.0.15-1jpp.1.el6_3
  • java-1.7.0-oracle-plugin-1:1.7.0.15-1jpp.1.el5_9
  • java-1.7.0-oracle-plugin-1:1.7.0.15-1jpp.1.el6_3
  • java-1.7.0-oracle-src-1:1.7.0.15-1jpp.1.el5_9
  • java-1.7.0-oracle-src-1:1.7.0.15-1jpp.1.el6_3
  • openssl-0:0.9.8e-26.el5_9.1
  • openssl-0:1.0.0-27.el6_4.2
  • openssl-debuginfo-0:0.9.8e-26.el5_9.1
  • openssl-debuginfo-0:1.0.0-27.el6_4.2
  • openssl-devel-0:0.9.8e-26.el5_9.1
  • openssl-devel-0:1.0.0-27.el6_4.2
  • openssl-perl-0:0.9.8e-26.el5_9.1
  • openssl-perl-0:1.0.0-27.el6_4.2
  • openssl-static-0:1.0.0-27.el6_4.2
  • rhev-hypervisor6-0:6.4-20130306.2.el6_4
  • java-1.7.0-ibm-1:1.7.0.4.2-1jpp.1.el5_9
  • java-1.7.0-ibm-1:1.7.0.4.2-1jpp.1.el6_4
  • java-1.7.0-ibm-demo-1:1.7.0.4.2-1jpp.1.el5_9
  • java-1.7.0-ibm-demo-1:1.7.0.4.2-1jpp.1.el6_4
  • java-1.7.0-ibm-devel-1:1.7.0.4.2-1jpp.1.el5_9
  • java-1.7.0-ibm-devel-1:1.7.0.4.2-1jpp.1.el6_4
  • java-1.7.0-ibm-jdbc-1:1.7.0.4.2-1jpp.1.el5_9
  • java-1.7.0-ibm-jdbc-1:1.7.0.4.2-1jpp.1.el6_4
  • java-1.7.0-ibm-plugin-1:1.7.0.4.2-1jpp.1.el5_9
  • java-1.7.0-ibm-plugin-1:1.7.0.4.2-1jpp.1.el6_4
  • java-1.7.0-ibm-src-1:1.7.0.4.2-1jpp.1.el5_9
  • java-1.7.0-ibm-src-1:1.7.0.4.2-1jpp.1.el6_4
  • java-1.6.0-ibm-1:1.6.0.13.2-1jpp.1.el5_9
  • java-1.6.0-ibm-1:1.6.0.13.2-1jpp.1.el6_4
  • java-1.6.0-ibm-accessibility-1:1.6.0.13.2-1jpp.1.el5_9
  • java-1.6.0-ibm-demo-1:1.6.0.13.2-1jpp.1.el5_9
  • java-1.6.0-ibm-demo-1:1.6.0.13.2-1jpp.1.el6_4
  • java-1.6.0-ibm-devel-1:1.6.0.13.2-1jpp.1.el5_9
  • java-1.6.0-ibm-devel-1:1.6.0.13.2-1jpp.1.el6_4
  • java-1.6.0-ibm-javacomm-1:1.6.0.13.2-1jpp.1.el5_9
  • java-1.6.0-ibm-javacomm-1:1.6.0.13.2-1jpp.1.el6_4
  • java-1.6.0-ibm-jdbc-1:1.6.0.13.2-1jpp.1.el5_9
  • java-1.6.0-ibm-jdbc-1:1.6.0.13.2-1jpp.1.el6_4
  • java-1.6.0-ibm-plugin-1:1.6.0.13.2-1jpp.1.el5_9
  • java-1.6.0-ibm-plugin-1:1.6.0.13.2-1jpp.1.el6_4
  • java-1.6.0-ibm-src-1:1.6.0.13.2-1jpp.1.el5_9
  • java-1.6.0-ibm-src-1:1.6.0.13.2-1jpp.1.el6_4
  • java-1.5.0-ibm-1:1.5.0.16.2-1jpp.1.el5_9
  • java-1.5.0-ibm-1:1.5.0.16.2-1jpp.1.el6_4
  • java-1.5.0-ibm-accessibility-1:1.5.0.16.2-1jpp.1.el5_9
  • java-1.5.0-ibm-demo-1:1.5.0.16.2-1jpp.1.el5_9
  • java-1.5.0-ibm-demo-1:1.5.0.16.2-1jpp.1.el6_4
  • java-1.5.0-ibm-devel-1:1.5.0.16.2-1jpp.1.el5_9
  • java-1.5.0-ibm-devel-1:1.5.0.16.2-1jpp.1.el6_4
  • java-1.5.0-ibm-javacomm-1:1.5.0.16.2-1jpp.1.el5_9
  • java-1.5.0-ibm-javacomm-1:1.5.0.16.2-1jpp.1.el6_4
  • java-1.5.0-ibm-jdbc-1:1.5.0.16.2-1jpp.1.el5_9
  • java-1.5.0-ibm-jdbc-1:1.5.0.16.2-1jpp.1.el6_4
  • java-1.5.0-ibm-plugin-1:1.5.0.16.2-1jpp.1.el5_9
  • java-1.5.0-ibm-plugin-1:1.5.0.16.2-1jpp.1.el6_4
  • java-1.5.0-ibm-src-1:1.5.0.16.2-1jpp.1.el5_9
  • java-1.5.0-ibm-src-1:1.5.0.16.2-1jpp.1.el6_4
  • java-1.6.0-ibm-1:1.6.0.14.0-1jpp.1.el5_9
  • java-1.6.0-ibm-1:1.6.0.14.0-1jpp.1.el6_4
  • java-1.6.0-ibm-devel-1:1.6.0.14.0-1jpp.1.el5_9
  • java-1.6.0-ibm-devel-1:1.6.0.14.0-1jpp.1.el6_4
  • java-1.6.0-ibm-1:1.6.0.14.0-1jpp.1.el5_9
  • java-1.6.0-ibm-1:1.6.0.14.0-1jpp.1.el6_4
  • java-1.6.0-ibm-devel-1:1.6.0.14.0-1jpp.1.el5_9
  • java-1.6.0-ibm-devel-1:1.6.0.14.0-1jpp.1.el6_4
  • rhevm-spice-client-x64-cab-0:3.3-12.el6_5
  • rhevm-spice-client-x64-msi-0:3.3-12.el6_5
  • rhevm-spice-client-x86-cab-0:3.3-12.el6_5
  • rhevm-spice-client-x86-msi-0:3.3-12.el6_5
refmap via4
apple APPLE-SA-2013-09-12-1
bid 57778
cert TA13-051A
cert-vn VU#737740
confirm
debian
  • DSA-2621
  • DSA-2622
fedora FEDORA-2013-4403
gentoo GLSA-201406-32
hp
  • HPSBMU02874
  • HPSBOV02852
  • HPSBUX02856
  • HPSBUX02857
  • HPSBUX02909
  • SSRT101103
  • SSRT101104
  • SSRT101108
  • SSRT101184
  • SSRT101289
mandriva MDVSA-2013:095
misc
mlist
  • [debian-lts-announce] 20180925 [SECURITY] [DLA 1518-1] polarssl security update
  • [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations
sectrack 1029190
secunia
  • 53623
  • 55108
  • 55139
  • 55322
  • 55350
  • 55351
suse
  • SUSE-SU-2013:0328
  • SUSE-SU-2013:0701
  • SUSE-SU-2014:0320
  • SUSE-SU-2015:0578
  • openSUSE-SU-2013:0375
  • openSUSE-SU-2013:0378
  • openSUSE-SU-2016:0640
ubuntu USN-1735-1
Last major update 12-05-2023 - 12:58
Published 08-02-2013 - 19:55
Last modified 12-05-2023 - 12:58
Back to Top