The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/ cve-icon cve-icon
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html cve-icon cve-icon
http://marc.info/?l=bugtraq&m=136396549913849&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=136432043316835&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=136439120408139&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=136733161405818&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=137545771702053&w=2 cve-icon cve-icon
http://openwall.com/lists/oss-security/2013/02/05/24 cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0587.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0782.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0783.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-0833.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-1455.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2013-1456.html cve-icon cve-icon
http://secunia.com/advisories/53623 cve-icon cve-icon
http://secunia.com/advisories/55108 cve-icon cve-icon
http://secunia.com/advisories/55139 cve-icon cve-icon
http://secunia.com/advisories/55322 cve-icon cve-icon
http://secunia.com/advisories/55350 cve-icon cve-icon
http://secunia.com/advisories/55351 cve-icon cve-icon
http://security.gentoo.org/glsa/glsa-201406-32.xml cve-icon cve-icon
http://support.apple.com/kb/HT5880 cve-icon cve-icon
http://www-01.ibm.com/support/docview.wss?uid=swg21644047 cve-icon cve-icon
http://www.debian.org/security/2013/dsa-2621 cve-icon cve-icon
http://www.debian.org/security/2013/dsa-2622 cve-icon cve-icon
http://www.isg.rhul.ac.uk/tls/ cve-icon
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf cve-icon cve-icon
http://www.kb.cert.org/vuls/id/737740 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095 cve-icon cve-icon
http://www.matrixssl.org/news.html cve-icon cve-icon
http://www.openssl.org/news/secadv_20130204.txt cve-icon cve-icon
http://www.openssl.org/news/secadv_20130205.txt cve-icon
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html cve-icon cve-icon
http://www.securityfocus.com/bid/57778 cve-icon cve-icon
http://www.securitytracker.com/id/1029190 cve-icon cve-icon
http://www.splunk.com/view/SP-CAAAHXG cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1735-1 cve-icon cve-icon
http://www.us-cert.gov/cas/techalerts/TA13-051A.html cve-icon cve-icon
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2013-0169 cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608 cve-icon cve-icon
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released cve-icon cve-icon cve-icon
https://puppet.com/security/cve/cve-2013-0169 cve-icon cve-icon
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001 cve-icon cve-icon
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2013-0169 cve-icon
History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.01022}

epss

{'score': 0.01291}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2024-08-06T14:18:09.503Z

Reserved: 2012-12-06T00:00:00

Link: CVE-2013-0169

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2013-02-08T19:55:01.030

Modified: 2025-04-11T00:51:21.963

Link: CVE-2013-0169

cve-icon Redhat

Severity : Moderate

Publid Date: 2013-02-04T00:00:00Z

Links: CVE-2013-0169 - Bugzilla

cve-icon OpenCVE Enrichment

No data.