CVE Database

CVE-2013-1624

Impact: Moderate
Public: 2013-02-04
CWE: CWE-385
Bugzilla: 908428: CVE-2013-1624 bouncycastle: TLS CBC padding timing attack

Details

It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.

Find out more about CVE-2013-1624 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 5.1
Base Metrics: AV:N/AC:H/Au:N/C:P/I:P/A:P
Access Vector: Network
Access Complexity: High
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
Red Hat JBoss A-MQ 6.1 RHSA-2014:0401 April 14, 2014
Red Hat JBoss BPMS 6.0 RHSA-2014:0371 April 03, 2014
Red Hat JBoss BRMS 6.0 RHSA-2014:0372 April 03, 2014
Red Hat JBoss Fuse 6.1 RHSA-2014:0400 April 14, 2014
Red Hat JBoss Web Framework Kit 2.6 RHSA-2014:0896 July 16, 2014

External References

http://www.isg.rhul.ac.uk/tls/

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.