medium
5
Advisory Published
CVE Published
Updated

CVE-2013-0440

First published: Thu Sep 20 2012(Updated: )

A flaw was discovered in the SSL/TLS in JSSE component of OpenJDK, that allows malicious clients to make an SSL/TLS server use an excessive amount of CPU time by repeatedly sending ClientHello packets. Client can send pre-generated packet, causing the server to repeatedly perform expensive computations when generating ServerHello response. This flaw is similar to OpenSSL <a href="https://access.redhat.com/security/cve/CVE-2011-4619">CVE-2011-4619</a> (<a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2011-4619 openssl: SGC restart DoS attack" href="show_bug.cgi?id=771780">bug #771780</a>), but the problem does not seem to be caused by an attempt to support server gated cryptography (SGC) and rather seems to be caused by an incorrect enforcing of the packet order during the SSL/TLS protocol handshake. Note that the attacker needs to keep connection open and keep re-sending ClientHello packets to keep server busy.

Credit: secalert_us@oracle.com

Affected SoftwareAffected VersionHow to fix
redhat/icedtea6<1.11.6
1.11.6
redhat/icedtea6<1.12.1
1.12.1
redhat/icedtea7<2.1.5
2.1.5
redhat/icedtea7<2.2.5
2.2.5
redhat/icedtea7<2.3.6
2.3.6
Oracle JRE=1.7.0
Oracle JRE=1.7.0-update1
Oracle JRE=1.7.0-update10
Oracle JRE=1.7.0-update11
Oracle JRE=1.7.0-update2
Oracle JRE=1.7.0-update3
Oracle JRE=1.7.0-update4
Oracle JRE=1.7.0-update5
Oracle JRE=1.7.0-update6
Oracle JRE=1.7.0-update7
Oracle JRE=1.7.0-update9
Oracle Java SE 7=1.7.0
Oracle Java SE 7=1.7.0-update1
Oracle Java SE 7=1.7.0-update10
Oracle Java SE 7=1.7.0-update11
Oracle Java SE 7=1.7.0-update2
Oracle Java SE 7=1.7.0-update3
Oracle Java SE 7=1.7.0-update4
Oracle Java SE 7=1.7.0-update5
Oracle Java SE 7=1.7.0-update6
Oracle Java SE 7=1.7.0-update7
Oracle Java SE 7=1.7.0-update9
Oracle JRE=1.6.0-update22
Oracle JRE=1.6.0-update23
Oracle JRE=1.6.0-update24
Oracle JRE=1.6.0-update25
Oracle JRE=1.6.0-update26
Oracle JRE=1.6.0-update27
Oracle JRE=1.6.0-update29
Oracle JRE=1.6.0-update30
Oracle JRE=1.6.0-update31
Oracle JRE=1.6.0-update32
Oracle JRE=1.6.0-update33
Oracle JRE=1.6.0-update34
Oracle JRE=1.6.0-update35
Oracle JRE=1.6.0-update37
Oracle JRE=1.6.0-update38
Sun Java Runtime Environment (JRE)=1.6.0
Sun Java Runtime Environment (JRE)=1.6.0-update_1
Sun Java Runtime Environment (JRE)=1.6.0-update_10
Sun Java Runtime Environment (JRE)=1.6.0-update_11
Sun Java Runtime Environment (JRE)=1.6.0-update_12
Sun Java Runtime Environment (JRE)=1.6.0-update_13
Sun Java Runtime Environment (JRE)=1.6.0-update_14
Sun Java Runtime Environment (JRE)=1.6.0-update_15
Sun Java Runtime Environment (JRE)=1.6.0-update_16
Sun Java Runtime Environment (JRE)=1.6.0-update_17
Sun Java Runtime Environment (JRE)=1.6.0-update_18
Sun Java Runtime Environment (JRE)=1.6.0-update_19
Sun Java Runtime Environment (JRE)=1.6.0-update_2
Sun Java Runtime Environment (JRE)=1.6.0-update_20
Sun Java Runtime Environment (JRE)=1.6.0-update_21
Sun Java Runtime Environment (JRE)=1.6.0-update_3
Sun Java Runtime Environment (JRE)=1.6.0-update_4
Sun Java Runtime Environment (JRE)=1.6.0-update_5
Sun Java Runtime Environment (JRE)=1.6.0-update_6
Sun Java Runtime Environment (JRE)=1.6.0-update_7
Sun Java Runtime Environment (JRE)=1.6.0-update_9
Oracle Java SE 7=1.6.0-update22
Oracle Java SE 7=1.6.0-update23
Oracle Java SE 7=1.6.0-update24
Oracle Java SE 7=1.6.0-update25
Oracle Java SE 7=1.6.0-update26
Oracle Java SE 7=1.6.0-update27
Oracle Java SE 7=1.6.0-update29
Oracle Java SE 7=1.6.0-update30
Oracle Java SE 7=1.6.0-update31
Oracle Java SE 7=1.6.0-update32
Oracle Java SE 7=1.6.0-update33
Oracle Java SE 7=1.6.0-update34
Oracle Java SE 7=1.6.0-update35
Oracle Java SE 7=1.6.0-update37
Oracle Java SE 7=1.6.0-update38
Java Development Kit (JDK)=1.6.0
Java Development Kit (JDK)=1.6.0-update_10
Java Development Kit (JDK)=1.6.0-update_11
Java Development Kit (JDK)=1.6.0-update_12
Java Development Kit (JDK)=1.6.0-update_13
Java Development Kit (JDK)=1.6.0-update_14
Java Development Kit (JDK)=1.6.0-update_15
Java Development Kit (JDK)=1.6.0-update_16
Java Development Kit (JDK)=1.6.0-update_17
Java Development Kit (JDK)=1.6.0-update_18
Java Development Kit (JDK)=1.6.0-update_19
Java Development Kit (JDK)=1.6.0-update_20
Java Development Kit (JDK)=1.6.0-update_21
Java Development Kit (JDK)=1.6.0-update_3
Java Development Kit (JDK)=1.6.0-update_4
Java Development Kit (JDK)=1.6.0-update_5
Java Development Kit (JDK)=1.6.0-update_6
Java Development Kit (JDK)=1.6.0-update_7
Java Development Kit (JDK)=1.6.0-update1
Java Development Kit (JDK)=1.6.0-update1_b06
Java Development Kit (JDK)=1.6.0-update2
Oracle JRE=1.5.0-update36
Oracle JRE=1.5.0-update38
Sun Java Runtime Environment (JRE)=1.5.0
Sun Java Runtime Environment (JRE)=1.5.0-update1
Sun Java Runtime Environment (JRE)=1.5.0-update10
Sun Java Runtime Environment (JRE)=1.5.0-update11
Sun Java Runtime Environment (JRE)=1.5.0-update12
Sun Java Runtime Environment (JRE)=1.5.0-update13
Sun Java Runtime Environment (JRE)=1.5.0-update14
Sun Java Runtime Environment (JRE)=1.5.0-update15
Sun Java Runtime Environment (JRE)=1.5.0-update16
Sun Java Runtime Environment (JRE)=1.5.0-update17
Sun Java Runtime Environment (JRE)=1.5.0-update18
Sun Java Runtime Environment (JRE)=1.5.0-update19
Sun Java Runtime Environment (JRE)=1.5.0-update2
Sun Java Runtime Environment (JRE)=1.5.0-update20
Sun Java Runtime Environment (JRE)=1.5.0-update21
Sun Java Runtime Environment (JRE)=1.5.0-update22
Sun Java Runtime Environment (JRE)=1.5.0-update23
Sun Java Runtime Environment (JRE)=1.5.0-update24
Sun Java Runtime Environment (JRE)=1.5.0-update25
Sun Java Runtime Environment (JRE)=1.5.0-update26
Sun Java Runtime Environment (JRE)=1.5.0-update27
Sun Java Runtime Environment (JRE)=1.5.0-update28
Sun Java Runtime Environment (JRE)=1.5.0-update29
Sun Java Runtime Environment (JRE)=1.5.0-update3
Sun Java Runtime Environment (JRE)=1.5.0-update31
Sun Java Runtime Environment (JRE)=1.5.0-update33
Sun Java Runtime Environment (JRE)=1.5.0-update4
Sun Java Runtime Environment (JRE)=1.5.0-update5
Sun Java Runtime Environment (JRE)=1.5.0-update6
Sun Java Runtime Environment (JRE)=1.5.0-update7
Sun Java Runtime Environment (JRE)=1.5.0-update8
Sun Java Runtime Environment (JRE)=1.5.0-update9
Oracle Java SE 7=1.5.0-update36
Oracle Java SE 7=1.5.0-update38
Java Development Kit (JDK)=1.5.0
Java Development Kit (JDK)=1.5.0-update1
Java Development Kit (JDK)=1.5.0-update10
Java Development Kit (JDK)=1.5.0-update11
Java Development Kit (JDK)=1.5.0-update11_b03
Java Development Kit (JDK)=1.5.0-update12
Java Development Kit (JDK)=1.5.0-update13
Java Development Kit (JDK)=1.5.0-update14
Java Development Kit (JDK)=1.5.0-update15
Java Development Kit (JDK)=1.5.0-update16
Java Development Kit (JDK)=1.5.0-update17
Java Development Kit (JDK)=1.5.0-update18
Java Development Kit (JDK)=1.5.0-update19
Java Development Kit (JDK)=1.5.0-update2
Java Development Kit (JDK)=1.5.0-update20
Java Development Kit (JDK)=1.5.0-update21
Java Development Kit (JDK)=1.5.0-update22
Java Development Kit (JDK)=1.5.0-update23
Java Development Kit (JDK)=1.5.0-update24
Java Development Kit (JDK)=1.5.0-update25
Java Development Kit (JDK)=1.5.0-update26
Java Development Kit (JDK)=1.5.0-update27
Java Development Kit (JDK)=1.5.0-update28
Java Development Kit (JDK)=1.5.0-update29
Java Development Kit (JDK)=1.5.0-update3
Java Development Kit (JDK)=1.5.0-update31
Java Development Kit (JDK)=1.5.0-update33
Java Development Kit (JDK)=1.5.0-update4
Java Development Kit (JDK)=1.5.0-update5
Java Development Kit (JDK)=1.5.0-update6
Java Development Kit (JDK)=1.5.0-update7
Java Development Kit (JDK)=1.5.0-update7_b03
Java Development Kit (JDK)=1.5.0-update8
Java Development Kit (JDK)=1.5.0-update9
Oracle JRE<=1.4.2_40
Oracle JRE=1.4.2_38
Sun Java Runtime Environment (JRE)=1.4.2
Sun Java Runtime Environment (JRE)=1.4.2_1
Sun Java Runtime Environment (JRE)=1.4.2_2
Sun Java Runtime Environment (JRE)=1.4.2_3
Sun Java Runtime Environment (JRE)=1.4.2_4
Sun Java Runtime Environment (JRE)=1.4.2_5
Sun Java Runtime Environment (JRE)=1.4.2_6
Sun Java Runtime Environment (JRE)=1.4.2_7
Sun Java Runtime Environment (JRE)=1.4.2_8
Sun Java Runtime Environment (JRE)=1.4.2_9
Sun Java Runtime Environment (JRE)=1.4.2_10
Sun Java Runtime Environment (JRE)=1.4.2_11
Sun Java Runtime Environment (JRE)=1.4.2_12
Sun Java Runtime Environment (JRE)=1.4.2_13
Sun Java Runtime Environment (JRE)=1.4.2_14
Sun Java Runtime Environment (JRE)=1.4.2_15
Sun Java Runtime Environment (JRE)=1.4.2_16
Sun Java Runtime Environment (JRE)=1.4.2_17
Sun Java Runtime Environment (JRE)=1.4.2_18
Sun Java Runtime Environment (JRE)=1.4.2_19
Sun Java Runtime Environment (JRE)=1.4.2_20
Sun Java Runtime Environment (JRE)=1.4.2_21
Sun Java Runtime Environment (JRE)=1.4.2_22
Sun Java Runtime Environment (JRE)=1.4.2_23
Sun Java Runtime Environment (JRE)=1.4.2_24
Sun Java Runtime Environment (JRE)=1.4.2_25
Sun Java Runtime Environment (JRE)=1.4.2_26
Sun Java Runtime Environment (JRE)=1.4.2_27
Sun Java Runtime Environment (JRE)=1.4.2_28
Sun Java Runtime Environment (JRE)=1.4.2_29
Sun Java Runtime Environment (JRE)=1.4.2_30
Sun Java Runtime Environment (JRE)=1.4.2_31
Sun Java Runtime Environment (JRE)=1.4.2_32
Sun Java Runtime Environment (JRE)=1.4.2_33
Sun Java Runtime Environment (JRE)=1.4.2_34
Sun Java Runtime Environment (JRE)=1.4.2_35
Sun Java Runtime Environment (JRE)=1.4.2_36
Sun Java Runtime Environment (JRE)=1.4.2_37
Oracle Java SE 7<=1.4.2_40
Oracle Java SE 7=1.4.2_38
Java Development Kit (JDK)=1.4.2
Java Development Kit (JDK)=1.4.2_1
Java Development Kit (JDK)=1.4.2_2
Java Development Kit (JDK)=1.4.2_3
Java Development Kit (JDK)=1.4.2_4
Java Development Kit (JDK)=1.4.2_5
Java Development Kit (JDK)=1.4.2_6
Java Development Kit (JDK)=1.4.2_7
Java Development Kit (JDK)=1.4.2_8
Java Development Kit (JDK)=1.4.2_9
Java Development Kit (JDK)=1.4.2_10
Java Development Kit (JDK)=1.4.2_11
Java Development Kit (JDK)=1.4.2_12
Java Development Kit (JDK)=1.4.2_13
Java Development Kit (JDK)=1.4.2_14
Java Development Kit (JDK)=1.4.2_15
Java Development Kit (JDK)=1.4.2_16
Java Development Kit (JDK)=1.4.2_17
Java Development Kit (JDK)=1.4.2_18
Java Development Kit (JDK)=1.4.2_19
Java Development Kit (JDK)=1.4.2_22
Java Development Kit (JDK)=1.4.2_23
Java Development Kit (JDK)=1.4.2_25
Java Development Kit (JDK)=1.4.2_26
Java Development Kit (JDK)=1.4.2_27
Java Development Kit (JDK)=1.4.2_28
Java Development Kit (JDK)=1.4.2_29
Java Development Kit (JDK)=1.4.2_30
Java Development Kit (JDK)=1.4.2_31
Java Development Kit (JDK)=1.4.2_32
Java Development Kit (JDK)=1.4.2_33
Java Development Kit (JDK)=1.4.2_34
Java Development Kit (JDK)=1.4.2_35
Java Development Kit (JDK)=1.4.2_36
Java Development Kit (JDK)=1.4.2_37

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2013-0440?

    CVE-2013-0440 has been assigned a severity rating of medium due to its potential to consume excessive CPU resources.

  • How do I fix CVE-2013-0440?

    To mitigate CVE-2013-0440, update your OpenJDK to the latest versions listed in the remediation guidelines.

  • What software is affected by CVE-2013-0440?

    CVE-2013-0440 affects several versions of OpenJDK and Oracle JDK and JRE, including specific update levels.

  • Can CVE-2013-0440 be exploited remotely?

    Yes, an attacker could exploit CVE-2013-0440 remotely by sending specially crafted ClientHello packets to the affected server.

  • Is there any workaround for CVE-2013-0440?

    Currently, the best workaround for CVE-2013-0440 is to update the affected Java environments to the recommended secure versions.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203