Lucene search

Veracode Vulnerability DatabaseVERACODE:3568

HistoryFeb 10, 2017 - 5:59 a.m.

Timing Attacks

2017-02-1005:59:15

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.005 Low

EPSS

Percentile

77.3%

JSON

OpenSSL is vulnerable to timing attacks. The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2 doesn’t check MAC addresses in constant time during the processing of a malformed CBC padding. This is also known as the “Lucky Thirteen” issue.

CPENameOperatorVersion
openssleq1.0.1
openssleq1.0.0

CPE	Name	Operator	Version
	openssl	eq	1.0.1
	openssl	eq	1.0.0

References

blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/

lists.apple.com/archives/security-announce/2013/Sep/msg00002.html

lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html

lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html

lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html

lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html

lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html

lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html

lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html

marc.info/?l=bugtraq&m=136396549913849&w=2

marc.info/?l=bugtraq&m=136432043316835&w=2

marc.info/?l=bugtraq&m=136439120408139&w=2

marc.info/?l=bugtraq&m=136733161405818&w=2

marc.info/?l=bugtraq&m=137545771702053&w=2

openwall.com/lists/oss-security/2013/02/05/24

rhn.redhat.com/errata/RHSA-2013-0587.html

rhn.redhat.com/errata/RHSA-2013-0782.html

rhn.redhat.com/errata/RHSA-2013-0783.html

rhn.redhat.com/errata/RHSA-2013-0833.html

rhn.redhat.com/errata/RHSA-2013-1455.html

rhn.redhat.com/errata/RHSA-2013-1456.html

secunia.com/advisories/53623

secunia.com/advisories/55108

secunia.com/advisories/55139

secunia.com/advisories/55322

secunia.com/advisories/55350

secunia.com/advisories/55351

security.gentoo.org/glsa/glsa-201406-32.xml

support.apple.com/kb/HT5880

www-01.ibm.com/support/docview.wss?uid=swg21644047

www.debian.org/security/2013/dsa-2621

www.debian.org/security/2013/dsa-2622

www.isg.rhul.ac.uk/tls/TLStiming.pdf

www.kb.cert.org/vuls/id/737740

www.mandriva.com/security/advisories?name=MDVSA-2013:095

www.matrixssl.org/news.html

www.openssl.org/news/secadv_20130204.txt

www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

www.securityfocus.com/bid/57778

www.securitytracker.com/id/1029190

www.splunk.com/view/SP-CAAAHXG

www.ubuntu.com/usn/USN-1735-1

www.us-cert.gov/cas/techalerts/TA13-051A.html

cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf

lists.debian.org/debian-lts-announce/2018/09/msg00029.html

openwall.com/lists/oss-security/2013/02/05/24

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608

polarssl.org/tech-updates/releases/polarssl-1.2.5-released

puppet.com/security/cve/cve-2013-0169

support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001

wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084