CVE-2013-0169 — LOW (2.6) — White Hats Nepal

Q: How severe is CVE-2013-0169?

CVE-2013-0169 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-0169?

Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Oracle Openjdk, Polarssl Polarssl.

Vulnerability Description

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

CVSS Score

2.6

LOW

AV:N/AC:H/Au:N/C:P/I:N/A:N

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Openssl	Openssl	>= 0.9.8, <= 0.9.8x
Oracle	Openjdk	1.6.0
Polarssl	Polarssl	0.10.0

Related Weaknesses (CWE)

CWE-310

References

http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7Third Party Advisory
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.htmlMailing ListThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlThird Party Advisory
http://marc.info/?l=bugtraq&m=136396549913849&w=2Third Party Advisory
http://marc.info/?l=bugtraq&m=136432043316835&w=2Third Party Advisory
http://marc.info/?l=bugtraq&m=136439120408139&w=2Third Party Advisory
http://marc.info/?l=bugtraq&m=136733161405818&w=2Third Party Advisory
http://marc.info/?l=bugtraq&m=137545771702053&w=2Third Party Advisory

FAQ

What is CVE-2013-0169?

CVE-2013-0169 is a vulnerability with a CVSS score of 2.6 (LOW). The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requireme...

How severe is CVE-2013-0169?

CVE-2013-0169 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-0169?

Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Oracle Openjdk, Polarssl Polarssl.