PT-2013-1213 · Oracle+6 · Openjdk+8
Adam Langley
+1
·
Published
1999-01-01
·
Updated
2025-05-12
·
CVE-2013-0169
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:N/A:P |
Name of the Vulnerable Software and Affected Versions
OpenSSL versions prior to 1.3.0
OpenJDK versions prior to 1.3.0
PolarSSL versions prior to 1.3.0
Description
The issue concerns the TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, which do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding. This allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, also known as the "Lucky Thirteen" issue.
Recommendations
For OpenSSL versions prior to 1.3.0, update to version 1.3.0 or later to resolve the issue.
For OpenJDK versions prior to 1.3.0, update to version 1.3.0 or later to resolve the issue.
For PolarSSL versions prior to 1.3.0, update to version 1.3.0 or later to resolve the issue.
As a temporary workaround, consider restricting access to the vulnerable protocols until a patch is available.
Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Centos
Hp-Ux
Ibm Aix
Java Platform
Openjdk
Openssl
Polarssl
Red Hat
Suse