The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the Lucky Thirteen issue.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Openssl | Openssl | 0.9.8 (including) | 0.9.8x (including) |
| Openssl | Openssl | 1.0.0 (including) | 1.0.0j (including) |
| Openssl | Openssl | 1.0.1 (including) | 1.0.1d (including) |
| Red Hat Enterprise Linux 5 | RedHat | java-1.6.0-openjdk-1:1.6.0.0-1.35.1.11.8.el5_9 | * |
| Red Hat Enterprise Linux 5 | RedHat | java-1.7.0-openjdk-1:1.7.0.9-2.3.7.1.el5_9 | * |
| Red Hat Enterprise Linux 5 | RedHat | openssl-0:0.9.8e-26.el5_9.1 | * |
| Red Hat Enterprise Linux 6 | RedHat | java-1.6.0-openjdk-1:1.6.0.0-1.56.1.11.8.el6_3 | * |
| Red Hat Enterprise Linux 6 | RedHat | java-1.7.0-openjdk-1:1.7.0.9-2.3.7.1.el6_3 | * |
| Red Hat Enterprise Linux 6 | RedHat | openssl-0:1.0.0-27.el6_4.2 | * |
| Red Hat JBoss Enterprise Application Platform 5.2 | RedHat | * | |
| Red Hat JBoss Enterprise Application Platform 6.1 | RedHat | openssl | * |
| Red Hat JBoss Web Platform 5.2 | RedHat | * | |
| Red Hat JBoss Web Server 2.0 | RedHat | openssl | * |
| Red Hat Network Satellite Server v 5.4 | RedHat | java-1.6.0-ibm-1:1.6.0.14.0-1jpp.1.el6_4 | * |
| Red Hat Network Satellite Server v 5.5 | RedHat | java-1.6.0-ibm-1:1.6.0.14.0-1jpp.1.el6_4 | * |
| Red Hat OpenShift Container Platform 4.6 | RedHat | openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0 | * |
| RHEV 3.X Hypervisor and Agents for RHEL-6 | RedHat | rhev-hypervisor6-0:6.4-20130306.2.el6_4 | * |
| RHEV Manager version 3.3 | RedHat | spice-client-msi-0:3.3-12 | * |
| Supplementary for Red Hat Enterprise Linux 5 | RedHat | java-1.6.0-sun-1:1.6.0.41-1jpp.1.el5_9 | * |
| Supplementary for Red Hat Enterprise Linux 5 | RedHat | java-1.7.0-oracle-1:1.7.0.15-1jpp.1.el5_9 | * |
| Supplementary for Red Hat Enterprise Linux 5 | RedHat | java-1.7.0-ibm-1:1.7.0.4.2-1jpp.1.el5_9 | * |
| Supplementary for Red Hat Enterprise Linux 5 | RedHat | java-1.6.0-ibm-1:1.6.0.13.2-1jpp.1.el5_9 | * |
| Supplementary for Red Hat Enterprise Linux 5 | RedHat | java-1.5.0-ibm-1:1.5.0.16.2-1jpp.1.el5_9 | * |
| Supplementary for Red Hat Enterprise Linux 6 | RedHat | java-1.6.0-sun-1:1.6.0.41-1jpp.1.el6_3 | * |
| Supplementary for Red Hat Enterprise Linux 6 | RedHat | java-1.7.0-oracle-1:1.7.0.15-1jpp.1.el6_3 | * |
| Supplementary for Red Hat Enterprise Linux 6 | RedHat | java-1.7.0-ibm-1:1.7.0.4.2-1jpp.1.el6_4 | * |
| Supplementary for Red Hat Enterprise Linux 6 | RedHat | java-1.6.0-ibm-1:1.6.0.13.2-1jpp.1.el6_4 | * |
| Supplementary for Red Hat Enterprise Linux 6 | RedHat | java-1.5.0-ibm-1:1.5.0.16.2-1jpp.1.el6_4 | * |
| Openjdk-6 | Ubuntu | devel | * |
| Openjdk-6 | Ubuntu | hardy | * |
| Openjdk-6 | Ubuntu | lucid | * |
| Openjdk-6 | Ubuntu | oneiric | * |
| Openjdk-6 | Ubuntu | precise | * |
| Openjdk-6 | Ubuntu | quantal | * |
| Openjdk-6 | Ubuntu | raring | * |
| Openjdk-6 | Ubuntu | saucy | * |
| Openjdk-6 | Ubuntu | trusty | * |
| Openjdk-6 | Ubuntu | upstream | * |
| Openjdk-7 | Ubuntu | devel | * |
| Openjdk-7 | Ubuntu | oneiric | * |
| Openjdk-7 | Ubuntu | precise | * |
| Openjdk-7 | Ubuntu | quantal | * |
| Openjdk-7 | Ubuntu | raring | * |
| Openjdk-7 | Ubuntu | saucy | * |
| Openjdk-7 | Ubuntu | trusty | * |
| Openjdk-7 | Ubuntu | upstream | * |
| Openssl | Ubuntu | devel | * |
| Openssl | Ubuntu | esm-infra-legacy/trusty | * |
| Openssl | Ubuntu | hardy | * |
| Openssl | Ubuntu | lucid | * |
| Openssl | Ubuntu | oneiric | * |
| Openssl | Ubuntu | precise | * |
| Openssl | Ubuntu | quantal | * |
| Openssl | Ubuntu | raring | * |
| Openssl | Ubuntu | saucy | * |
| Openssl | Ubuntu | trusty | * |
| Openssl | Ubuntu | trusty/esm | * |
| Openssl | Ubuntu | upstream | * |
| Openssl098 | Ubuntu | devel | * |
| Openssl098 | Ubuntu | oneiric | * |
| Openssl098 | Ubuntu | precise | * |
| Openssl098 | Ubuntu | quantal | * |
| Openssl098 | Ubuntu | raring | * |
| Openssl098 | Ubuntu | saucy | * |
| Openssl098 | Ubuntu | trusty | * |
| Openssl098 | Ubuntu | upstream | * |
References
- http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/
- http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
- http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
- http://marc.info/?l=bugtraq\u0026m=136396549913849\u0026w=2
- http://marc.info/?l=bugtraq\u0026m=136432043316835\u0026w=2
- http://marc.info/?l=bugtraq\u0026m=136439120408139\u0026w=2
- http://marc.info/?l=bugtraq\u0026m=136733161405818\u0026w=2
- http://marc.info/?l=bugtraq\u0026m=137545771702053\u0026w=2
- http://openwall.com/lists/oss-security/2013/02/05/24
- http://rhn.redhat.com/errata/RHSA-2013-0587.html
- http://rhn.redhat.com/errata/RHSA-2013-0782.html
- http://rhn.redhat.com/errata/RHSA-2013-0783.html
- http://rhn.redhat.com/errata/RHSA-2013-0833.html
- http://rhn.redhat.com/errata/RHSA-2013-1455.html
- http://rhn.redhat.com/errata/RHSA-2013-1456.html
- http://secunia.com/advisories/53623
- http://secunia.com/advisories/55108
- http://secunia.com/advisories/55139
- http://secunia.com/advisories/55322
- http://secunia.com/advisories/55350
- http://secunia.com/advisories/55351
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://support.apple.com/kb/HT5880
- http://www-01.ibm.com/support/docview.wss?uid=swg21644047
- http://www.debian.org/security/2013/dsa-2621
- http://www.debian.org/security/2013/dsa-2622
- http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
- http://www.kb.cert.org/vuls/id/737740
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
- http://www.matrixssl.org/news.html
- http://www.openssl.org/news/secadv_20130204.txt
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
- http://www.securityfocus.com/bid/57778
- http://www.securitytracker.com/id/1029190
- http://www.splunk.com/view/SP-CAAAHXG
- http://www.ubuntu.com/usn/USN-1735-1
- http://www.us-cert.gov/cas/techalerts/TA13-051A.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
- https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608
- https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
- https://puppet.com/security/cve/cve-2013-0169
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c03883001
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084
- http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/
- http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html
- http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
- http://marc.info/?l=bugtraq\u0026m=136396549913849\u0026w=2
- http://marc.info/?l=bugtraq\u0026m=136432043316835\u0026w=2
- http://marc.info/?l=bugtraq\u0026m=136439120408139\u0026w=2
- http://marc.info/?l=bugtraq\u0026m=136733161405818\u0026w=2
- http://marc.info/?l=bugtraq\u0026m=137545771702053\u0026w=2
- http://openwall.com/lists/oss-security/2013/02/05/24
- http://rhn.redhat.com/errata/RHSA-2013-0587.html
- http://rhn.redhat.com/errata/RHSA-2013-0782.html
- http://rhn.redhat.com/errata/RHSA-2013-0783.html
- http://rhn.redhat.com/errata/RHSA-2013-0833.html
- http://rhn.redhat.com/errata/RHSA-2013-1455.html
- http://rhn.redhat.com/errata/RHSA-2013-1456.html
- http://secunia.com/advisories/53623
- http://secunia.com/advisories/55108
- http://secunia.com/advisories/55139
- http://secunia.com/advisories/55322
- http://secunia.com/advisories/55350
- http://secunia.com/advisories/55351
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://support.apple.com/kb/HT5880
- http://www-01.ibm.com/support/docview.wss?uid=swg21644047
- http://www.debian.org/security/2013/dsa-2621
- http://www.debian.org/security/2013/dsa-2622
- http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
- http://www.kb.cert.org/vuls/id/737740
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:095
- http://www.matrixssl.org/news.html
- http://www.openssl.org/news/secadv_20130204.txt
- http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
- http://www.securityfocus.com/bid/57778
- http://www.securitytracker.com/id/1029190
- http://www.splunk.com/view/SP-CAAAHXG
- http://www.ubuntu.com/usn/USN-1735-1
- http://www.us-cert.gov/cas/techalerts/TA13-051A.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
- https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608
- https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
- https://puppet.com/security/cve/cve-2013-0169
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-c03883001
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084