CVE-2013-0169

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the Lucky Thirteen issue.

Affected Software

Name	Vendor	Start Version	End Version
Openssl	Openssl	0.9.8 (including)	0.9.8x (including)
Openssl	Openssl	1.0.0 (including)	1.0.0j (including)
Openssl	Openssl	1.0.1 (including)	1.0.1d (including)
Red Hat Enterprise Linux 5	RedHat	java-1.6.0-openjdk-1:1.6.0.0-1.35.1.11.8.el5_9	*
Red Hat Enterprise Linux 5	RedHat	java-1.7.0-openjdk-1:1.7.0.9-2.3.7.1.el5_9	*
Red Hat Enterprise Linux 5	RedHat	openssl-0:0.9.8e-26.el5_9.1	*
Red Hat Enterprise Linux 6	RedHat	java-1.6.0-openjdk-1:1.6.0.0-1.56.1.11.8.el6_3	*
Red Hat Enterprise Linux 6	RedHat	java-1.7.0-openjdk-1:1.7.0.9-2.3.7.1.el6_3	*
Red Hat Enterprise Linux 6	RedHat	openssl-0:1.0.0-27.el6_4.2	*
Red Hat JBoss Enterprise Application Platform 5.2	RedHat		*
Red Hat JBoss Enterprise Application Platform 6.1	RedHat	openssl	*
Red Hat JBoss Web Platform 5.2	RedHat		*
Red Hat JBoss Web Server 2.0	RedHat	openssl	*
Red Hat Network Satellite Server v 5.4	RedHat	java-1.6.0-ibm-1:1.6.0.14.0-1jpp.1.el5_9	*
Red Hat Network Satellite Server v 5.5	RedHat	java-1.6.0-ibm-1:1.6.0.14.0-1jpp.1.el5_9	*
Red Hat OpenShift Container Platform 4.6	RedHat	openshift4/ose-kube-rbac-proxy:v4.6.0-202010061132.p0	*
RHEV 3.X Hypervisor and Agents for RHEL-6	RedHat	rhev-hypervisor6-0:6.4-20130306.2.el6_4	*
RHEV Manager version 3.3	RedHat	spice-client-msi-0:3.3-12	*
Supplementary for Red Hat Enterprise Linux 5	RedHat	java-1.6.0-sun-1:1.6.0.41-1jpp.1.el5_9	*
Supplementary for Red Hat Enterprise Linux 5	RedHat	java-1.7.0-oracle-1:1.7.0.15-1jpp.1.el5_9	*
Supplementary for Red Hat Enterprise Linux 5	RedHat	java-1.7.0-ibm-1:1.7.0.4.2-1jpp.1.el5_9	*
Supplementary for Red Hat Enterprise Linux 5	RedHat	java-1.6.0-ibm-1:1.6.0.13.2-1jpp.1.el5_9	*
Supplementary for Red Hat Enterprise Linux 5	RedHat	java-1.5.0-ibm-1:1.5.0.16.2-1jpp.1.el5_9	*
Supplementary for Red Hat Enterprise Linux 6	RedHat	java-1.6.0-sun-1:1.6.0.41-1jpp.1.el6_3	*
Supplementary for Red Hat Enterprise Linux 6	RedHat	java-1.7.0-oracle-1:1.7.0.15-1jpp.1.el6_3	*
Supplementary for Red Hat Enterprise Linux 6	RedHat	java-1.7.0-ibm-1:1.7.0.4.2-1jpp.1.el6_4	*
Supplementary for Red Hat Enterprise Linux 6	RedHat	java-1.6.0-ibm-1:1.6.0.13.2-1jpp.1.el6_4	*
Supplementary for Red Hat Enterprise Linux 6	RedHat	java-1.5.0-ibm-1:1.5.0.16.2-1jpp.1.el6_4	*
Openjdk-6	Ubuntu	devel	*
Openjdk-6	Ubuntu	hardy	*
Openjdk-6	Ubuntu	lucid	*
Openjdk-6	Ubuntu	oneiric	*
Openjdk-6	Ubuntu	precise	*
Openjdk-6	Ubuntu	quantal	*
Openjdk-6	Ubuntu	raring	*
Openjdk-6	Ubuntu	saucy	*
Openjdk-6	Ubuntu	trusty	*
Openjdk-6	Ubuntu	upstream	*
Openjdk-7	Ubuntu	devel	*
Openjdk-7	Ubuntu	oneiric	*
Openjdk-7	Ubuntu	precise	*
Openjdk-7	Ubuntu	quantal	*
Openjdk-7	Ubuntu	raring	*
Openjdk-7	Ubuntu	saucy	*
Openjdk-7	Ubuntu	trusty	*
Openjdk-7	Ubuntu	upstream	*
Openssl	Ubuntu	devel	*
Openssl	Ubuntu	hardy	*
Openssl	Ubuntu	lucid	*
Openssl	Ubuntu	oneiric	*
Openssl	Ubuntu	precise	*
Openssl	Ubuntu	quantal	*
Openssl	Ubuntu	raring	*
Openssl	Ubuntu	saucy	*
Openssl	Ubuntu	trusty	*
Openssl	Ubuntu	upstream	*
Openssl098	Ubuntu	devel	*
Openssl098	Ubuntu	oneiric	*
Openssl098	Ubuntu	precise	*
Openssl098	Ubuntu	quantal	*
Openssl098	Ubuntu	raring	*
Openssl098	Ubuntu	saucy	*
Openssl098	Ubuntu	trusty	*
Openssl098	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-0169
CWE	https://cwe.mitre.org/data/definitions/310.html

Affected Software

References