Oracle Solaris 11: CVE-2013-0169: Vulnerability in OpenSSL
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 3 | (AV:N/AC:H/Au:N/C:P/I:N/A:N) | February 08, 2013 | May 29, 2017 | May 29, 2017 |
Description
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Scan For This Vulnerability
Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities
References
- APPLE-APPLE-SA-2013-09-12-1
- BID-57778
- CERT-TA13-051A
- CERT-VN-737740
- CVE-2013-0169
- DEBIAN-DSA-2621
- DEBIAN-DSA-2622
- OVAL-OVAL18841
- OVAL-OVAL19016
- OVAL-OVAL19424
- OVAL-OVAL19540
- OVAL-OVAL19608
- REDHAT-RHSA-2013:0587
- REDHAT-RHSA-2013:0782
- REDHAT-RHSA-2013:0783
- REDHAT-RHSA-2013:0833
- REDHAT-RHSA-2013:1455
- REDHAT-RHSA-2013:1456
- URL: https://support.oracle.com/epmos/faces/DocumentDisplay?id=1448883.1&displayIndex=1
Solution Reference
Java Security UpdateSolution
oracle-solaris-11-1-upgrade-developer-java-jdk-6-1-6-0-43-0-175-1-5-0-5-0Related Vulnerabilities
- RHSA-2013:0855: java-1.5.0-ibm security update
- HP-UX: CVE-2013-0169: Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
- ELSA-2013-0273 Critical: Oracle Linux java-1.6.0-openjdk security update
- TLS/SSL Timing Side-Channel Attacks, aka the "Lucky Thirteen" Attack
- USN-1732-1: OpenSSL vulnerabilities
- Alpine Linux: CVE-2013-0169: openssl multiple issues
- Oracle Database: Critical Patch Update - October 2013 (CVE-2013-0169)
- FreeBSD: OpenSSL -- TLS 1.1, 1.2 denial of service (Multiple CVEs)
- Amazon Linux AMI: Security patch for openssl (ALAS-2013-171) (multiple CVEs)
- Amazon Linux AMI: Security patch for java-1.7.0-openjdk (ALAS-2013-162) (multiple CVEs)
- DSA-2621-1 openssl -- several vulnerabilities
- RHSA-2013:0531: java-1.6.0-sun security update
- OS X update for OpenSSL (CVE-2013-0169)
- RHSA-2013:0273: java-1.6.0-openjdk security update
- USN-1735-1: OpenJDK vulnerabilities
- Gentoo Linux: CVE-2013-0169: OpenSSL: Multiple Vulnerabilities
- Sun Patch: SunOS 5.10: wanboot patch
- F5 Networks: K14190 (CVE-2013-0169): TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
- RHSA-2013:0823: java-1.6.0-ibm security update
- Amazon Linux AMI: Security patch for java-1.6.0-openjdk (ALAS-2013-163) (multiple CVEs)
- IBM HTTP Server: CVE-2013-0169: TLS Vulnerability
- DSA-2622-1 polarssl -- several vulnerabilities
- ELSA-2013-0274 Important: Oracle Linux java-1.6.0-openjdk security update
- RHSA-2014:0416: rhevm-spice-client security update
- RHSA-2013:0587: openssl security update
- OS X update for Apache (CVE-2013-0169)
- Sun Patch: SunOS 5.10_x86: openssl patch
- SUSE Linux Security Vulnerability: CVE-2013-0169
- OpenSSL SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)
- Juniper Junos OS: Multiple security vulnerabilities in OpenSSL (JSA10575) (multiple CVEs)
- Apple Java security update for CVE-2013-0169
- ELSA-2013-0587 Moderate: Oracle Linux openssl security update
- VMSA-2013-0009: ESX userworld update for OpenSSL library (CVE-2013-0169)
- RHSA-2013:0275: java-1.7.0-openjdk security update
- FreeBSD: FreeBSD -- OpenSSL multiple vulnerabilities (FreeBSD-SA-13:03.openssl) (Multiple CVEs)
- RHSA-2013:0822: java-1.7.0-ibm security update
- RHSA-2013:0274: java-1.6.0-openjdk security update
- RHSA-2013:0532: java-1.7.0-oracle security update
- Amazon Linux AMI: Security patch for openssl (ALAS-2014-320) (multiple CVEs)
- RHSA-2013:1455: Red Hat Network Satellite server IBM Java Runtime security update
- Sun Patch: SunOS 5.10: openssl patch
- RHSA-2013:0636: rhev-hypervisor6 security and bug fix update
- IBM AIX: openssh_advisory2, openssl_advisory5 (CVE-2013-0169): Vulnerabilities in OpenSSH affect AIX
- ELSA-2013-0275 Important: Oracle Linux java-1.7.0-openjdk security update
- Java CPU February 2013 Java Runtime Environment JSSE vulnerability (CVE-2013-0169)
- RHSA-2013:1456: Red Hat Network Satellite server IBM Java Runtime security update
- USN-1732-3: OpenSSL vulnerability
- Sun Patch: SunOS 5.9: wanboot and pkg utilities Patch