Red Hat Customer Portal

Skip to main content

CVE-2013-0169

Impact:
Moderate
Public Date:
2013-02-04
Bugzilla:
907589: CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)

The MITRE CVE dictionary describes this issue as:

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Find out more about CVE-2013-0169 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 5.1
Base Metrics AV:N/AC:H/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm) RHSA-2013:0855 2013-05-22
Red Hat Satellite 5.5 (RHEL v.6) (java-1.6.0-ibm) RHSA-2013:1456 2013-10-23
Red Hat Enterprise Linux 5 (java-1.6.0-openjdk) RHSA-2013:0274 2013-02-20
Red Hat Enterprise Linux 5 (java-1.7.0-openjdk) RHSA-2013:0275 2013-02-20
Red Hat Satellite 5.4 (RHEL v.5) (java-1.6.0-ibm) RHSA-2013:1455 2013-10-23
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.5.0-ibm) RHSA-2013:0855 2013-05-22
RHEV Hypervisor for RHEL-6 (rhev-hypervisor6) RHSA-2013:0636 2013-03-13
Red Hat Enterprise Linux 6 (openssl) RHSA-2013:0587 2013-03-04
Red Hat Enterprise Linux 5 (openssl) RHSA-2013:0587 2013-03-04
Red Hat Satellite 5.5 (RHEL v.5) (java-1.6.0-ibm) RHSA-2013:1456 2013-10-23
Red Hat JBoss Web Platform 5.2 RHSA-2013:0782 2013-05-01
Red Hat JBoss Web Server 2.0 RHSA-2013:1013 2013-07-03
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.0-ibm) RHSA-2013:0822 2013-05-14
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-ibm) RHSA-2013:0823 2013-05-14
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2013:0783 2013-05-01
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) RHSA-2013:0823 2013-05-14
Red Hat Enterprise Linux Supplementary 5 (java-1.7.0-ibm) RHSA-2013:0822 2013-05-14
Red Hat Enterprise Linux Supplementary 5 (java-1.7.0-oracle) RHSA-2013:0532 2013-02-20
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-sun) RHSA-2013:0531 2013-02-20
Red Hat Enterprise Linux 6 (java-1.6.0-openjdk) RHSA-2013:0273 2013-02-20
Red Hat Enterprise Linux 6 (java-1.7.0-openjdk) RHSA-2013:0275 2013-02-20
Red Hat JBoss Enterprise Application Platform 6.1 RHSA-2013:0833 2013-05-20
RHEV-M for Servers (spice-client-msi) RHSA-2014:0416 2014-04-17
Red Hat Satellite 5.4 (RHEL v.6) (java-1.6.0-ibm) RHSA-2013:1455 2013-10-23
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.0-oracle) RHSA-2013:0532 2013-02-20
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-sun) RHSA-2013:0531 2013-02-20

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 6 openssl098e Will not fix
Red Hat Enterprise Linux 5 openssl097a Will not fix
Red Hat JBoss EWS 2 openssl Affected
Red Hat JBoss EWS 1 openssl Will not fix
Red Hat JBoss EAP 6 openssl Affected

External References

Last Modified