// For flags

CVE-2013-0169

SSL/TLS: CBC padding timing attack (lucky-13)

Severity Score

5.9
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

El protocolo TLS v1.1 y v1.2 y el protocolo DTLS v1.0 y v1.2, tal como se utiliza en OpenSSL, OpenJDK, PolarSSL, y otros productos, no considera adecuadamente ataques a un requisito de verificación MAC durante el proceso de relleno CBC malformado, lo que permite a atacantes remotos para realizar ataques distintivos y los ataques de recuperación de texto plano través del análisis estadístico de los datos de tiempo de los paquetes hechos a mano, también conocido como el "Lucky Thirteen" de emisión.

Red Hat Enterprise Virtualization Manager provides access to virtual machines using SPICE. These SPICE client packages provide the SPICE client and usbclerk service for both Windows 32-bit operating systems and Windows 64-bit operating systems. The rhevm-spice-client package includes the mingw-virt-viewer Windows SPICE client. OpenSSL, a general purpose cryptography library with a TLS implementation, is bundled with mingw-virt-viewer. The mingw-virt-viewer package has been updated to correct the following issues: An information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2012-12-06 CVE Reserved
  • 2013-02-05 CVE Published
  • 2024-08-06 CVE Updated
  • 2025-04-01 First Exploit
  • 2025-07-04 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-310: Cryptographic Issues
CAPEC
References (58)
URL Tag Source
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released Third Party Advisory
http://openwall.com/lists/oss-security/2013/02/05/24 Mailing List
http://secunia.com/advisories/53623 Third Party Advisory
http://secunia.com/advisories/55108 Third Party Advisory
http://secunia.com/advisories/55139 Third Party Advisory
http://secunia.com/advisories/55322 Third Party Advisory
http://secunia.com/advisories/55350 Third Party Advisory
http://secunia.com/advisories/55351 Third Party Advisory
http://support.apple.com/kb/HT5880 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21644047 Third Party Advisory
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf Third Party Advisory
http://www.kb.cert.org/vuls/id/737740 Third Party Advisory
http://www.matrixssl.org/news.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html Third Party Advisory
http://www.securityfocus.com/bid/57778 Third Party Advisory
http://www.securitytracker.com/id/1029190 Third Party Advisory
http://www.splunk.com/view/SP-CAAAHXG Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA13-051A.html Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608 Signature
https://puppet.com/security/cve/cve-2013-0169 Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001 Third Party Advisory
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084 Third Party Advisory
URL Date SRC
https://github.com/wearohat/lucky13 2025-04-01
URL Date SRC
URL Date SRC
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html 2023-05-12
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html 2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html 2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html 2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html 2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html 2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html 2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html 2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html 2023-05-12
http://marc.info/?l=bugtraq&m=136396549913849&w=2 2023-05-12
http://marc.info/?l=bugtraq&m=136432043316835&w=2 2023-05-12
http://marc.info/?l=bugtraq&m=136439120408139&w=2 2023-05-12
http://marc.info/?l=bugtraq&m=136733161405818&w=2 2023-05-12
http://marc.info/?l=bugtraq&m=137545771702053&w=2 2023-05-12
http://rhn.redhat.com/errata/RHSA-2013-0587.html 2023-05-12
http://rhn.redhat.com/errata/RHSA-2013-0782.html 2023-05-12
http://rhn.redhat.com/errata/RHSA-2013-0783.html 2023-05-12
http://rhn.redhat.com/errata/RHSA-2013-0833.html 2023-05-12
http://rhn.redhat.com/errata/RHSA-2013-1455.html 2023-05-12
http://rhn.redhat.com/errata/RHSA-2013-1456.html 2023-05-12
http://security.gentoo.org/glsa/glsa-201406-32.xml 2023-05-12
http://www.debian.org/security/2013/dsa-2621 2023-05-12
http://www.debian.org/security/2013/dsa-2622 2023-05-12
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095 2023-05-12
http://www.openssl.org/news/secadv_20130204.txt 2023-05-12
http://www.ubuntu.com/usn/USN-1735-1 2023-05-12
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released 2023-05-12
https://access.redhat.com/security/cve/CVE-2013-0169 2020-10-27
https://bugzilla.redhat.com/show_bug.cgi?id=907589 2020-10-27
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 >= 0.9.8 <= 0.9.8x
Search vendor "Openssl" for product "Openssl" and version " >= 0.9.8 <= 0.9.8x"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 >= 1.0.0 <= 1.0.0j
Search vendor "Openssl" for product "Openssl" and version " >= 1.0.0 <= 1.0.0j"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 >= 1.0.1 <= 1.0.1d
Search vendor "Openssl" for product "Openssl" and version " >= 1.0.1 <= 1.0.1d"
-
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
-
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update1
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update10
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update11
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update12
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update13
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update14
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update15
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update16
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update17
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update18
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update19
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update2
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update20
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update21
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update22
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update23
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update24
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update25
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update26
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update27
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update29
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update3
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update30
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update31
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update32
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update33
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update34
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update35
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update37
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update38
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update4
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update5
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update6
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.6.0
Search vendor "Oracle" for product "Openjdk" and version "1.6.0"
update7
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.7.0
Search vendor "Oracle" for product "Openjdk" and version "1.7.0"
-
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.7.0
Search vendor "Oracle" for product "Openjdk" and version "1.7.0"
update1
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.7.0
Search vendor "Oracle" for product "Openjdk" and version "1.7.0"
update10
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.7.0
Search vendor "Oracle" for product "Openjdk" and version "1.7.0"
update11
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.7.0
Search vendor "Oracle" for product "Openjdk" and version "1.7.0"
update13
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.7.0
Search vendor "Oracle" for product "Openjdk" and version "1.7.0"
update2
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.7.0
Search vendor "Oracle" for product "Openjdk" and version "1.7.0"
update3
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.7.0
Search vendor "Oracle" for product "Openjdk" and version "1.7.0"
update4
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.7.0
Search vendor "Oracle" for product "Openjdk" and version "1.7.0"
update5
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.7.0
Search vendor "Oracle" for product "Openjdk" and version "1.7.0"
update6
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.7.0
Search vendor "Oracle" for product "Openjdk" and version "1.7.0"
update7
Affected
Oracle
Search vendor "Oracle"
 Openjdk
Search vendor "Oracle" for product "Openjdk"
 1.7.0
Search vendor "Oracle" for product "Openjdk" and version "1.7.0"
update9
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.10.0
Search vendor "Polarssl" for product "Polarssl" and version "0.10.0"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.10.1
Search vendor "Polarssl" for product "Polarssl" and version "0.10.1"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.11.0
Search vendor "Polarssl" for product "Polarssl" and version "0.11.0"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.11.1
Search vendor "Polarssl" for product "Polarssl" and version "0.11.1"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.12.0
Search vendor "Polarssl" for product "Polarssl" and version "0.12.0"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.12.1
Search vendor "Polarssl" for product "Polarssl" and version "0.12.1"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.13.1
Search vendor "Polarssl" for product "Polarssl" and version "0.13.1"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.14.0
Search vendor "Polarssl" for product "Polarssl" and version "0.14.0"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.14.2
Search vendor "Polarssl" for product "Polarssl" and version "0.14.2"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.14.3
Search vendor "Polarssl" for product "Polarssl" and version "0.14.3"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.99
Search vendor "Polarssl" for product "Polarssl" and version "0.99"
pre1
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.99
Search vendor "Polarssl" for product "Polarssl" and version "0.99"
pre3
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.99
Search vendor "Polarssl" for product "Polarssl" and version "0.99"
pre4
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 0.99
Search vendor "Polarssl" for product "Polarssl" and version "0.99"
pre5
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 1.0.0
Search vendor "Polarssl" for product "Polarssl" and version "1.0.0"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 1.1.0
Search vendor "Polarssl" for product "Polarssl" and version "1.1.0"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 1.1.0
Search vendor "Polarssl" for product "Polarssl" and version "1.1.0"
rc0
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 1.1.0
Search vendor "Polarssl" for product "Polarssl" and version "1.1.0"
rc1
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 1.1.1
Search vendor "Polarssl" for product "Polarssl" and version "1.1.1"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 1.1.2
Search vendor "Polarssl" for product "Polarssl" and version "1.1.2"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 1.1.3
Search vendor "Polarssl" for product "Polarssl" and version "1.1.3"
-
Affected
Polarssl
Search vendor "Polarssl"
 Polarssl
Search vendor "Polarssl" for product "Polarssl"
 1.1.4
Search vendor "Polarssl" for product "Polarssl" and version "1.1.4"
-
Affected