CVE-2013-1620
First published: Mon Feb 04 2013(Updated: )
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nspr | <0:4.9.5-1.el5_9 | 0:4.9.5-1.el5_9 |
| redhat/nss | <0:3.14.3-6.el5_9 | 0:3.14.3-6.el5_9 |
| redhat/nspr | <0:4.9.5-2.el6_4 | 0:4.9.5-2.el6_4 |
| redhat/nss | <0:3.14.3-4.el6_4 | 0:3.14.3-4.el6_4 |
| redhat/nss-softokn | <0:3.14.3-3.el6_4 | 0:3.14.3-3.el6_4 |
| redhat/nss-util | <0:3.14.3-3.el6_4 | 0:3.14.3-3.el6_4 |
| redhat/rhev-hypervisor6 | <0:6.4-20130815.0.el6_4 | 0:6.4-20130815.0.el6_4 |
| redhat/nss | <3.14.3 | 3.14.3 |
| Mozilla Network Security Services | <3.14.3 | |
| Canonical Ubuntu Linux | =10.04 | |
| Canonical Ubuntu Linux | =11.10 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =12.10 | |
| Oracle Enterprise Manager Ops Center | =11.1 | |
| Oracle Enterprise Manager Ops Center | =12.1 | |
| Oracle Enterprise Manager Ops Center | =12.2 | |
| Oracle Glassfish Communications Server | =2.0 | |
| Oracle GlassFish Server | =2.1.1 | |
| Oracle Iplanet Web Proxy Server | =4.0 | |
| Oracle iPlanet Web Server | =6.1 | |
| Oracle iPlanet Web Server | =7.0 | |
| Oracle OpenSSO | =3.0-03 | |
| Oracle Traffic Director | =11.1.1.6.0 | |
| Oracle Traffic Director | =11.1.1.7.0 | |
| Oracle VM Server | =3.2 | |
| Redhat Enterprise Linux Desktop | =5.0 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Eus | =5.9 | |
| Redhat Enterprise Linux Server | =5.0 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server Aus | =5.9 | |
| Redhat Enterprise Linux Workstation | =5.0 | |
| Redhat Enterprise Linux Workstation | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00010.html
- http://openwall.com/lists/oss-security/2013/02/05/24
- http://rhn.redhat.com/errata/RHSA-2013-1135.html
- http://rhn.redhat.com/errata/RHSA-2013-1144.html
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://security.gentoo.org/glsa/glsa-201406-19.xml
- http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- http://www.securityfocus.com/bid/57777
- http://www.securityfocus.com/bid/64758
- http://www.ubuntu.com/usn/USN-1763-1
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=822365
- http://www.isg.rhul.ac.uk/tls/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=908257
- https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.3_release_notes#Notable_Changes_in_NSS_3.14.3
- https://rhn.redhat.com/errata/RHSA-2013-1135.html
- https://rhn.redhat.com/errata/RHSA-2013-1144.html
- https://rhn.redhat.com/errata/RHSA-2013-1181.html
- https://bugzilla.redhat.com/show_bug.cgi?id=908234
- https://www.cve.org/CVERecord?id=CVE-2013-1620 https://nvd.nist.gov/vuln/detail/CVE-2013-1620 http://www.isg.rhul.ac.uk/tls/
- https://access.redhat.com/errata/RHSA-2013:1135
- https://access.redhat.com/errata/RHSA-2013:1144
- https://access.redhat.com/errata/RHSA-2013:1181
- https://access.redhat.com/security/cve/CVE-2013-1620
Parent vulnerabilities
(Appears in the following advisories)
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- alias/CVE-2013-1620
- collector/redhat-cve
- vendor/mozilla
- canonical/mozilla network security services
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/10.04
- version/canonical ubuntu linux/11.10
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/12.10
- vendor/oracle
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/11.1
- version/oracle enterprise manager ops center/12.1
- version/oracle enterprise manager ops center/12.2
- canonical/oracle glassfish communications server
- version/oracle glassfish communications server/2.0
- canonical/oracle glassfish server
- version/oracle glassfish server/2.1.1
- canonical/oracle iplanet web proxy server
- version/oracle iplanet web proxy server/4.0
- canonical/oracle iplanet web server
- version/oracle iplanet web server/6.1
- version/oracle iplanet web server/7.0
- canonical/oracle opensso
- version/oracle opensso/3.0-03
- canonical/oracle traffic director
- version/oracle traffic director/11.1.1.6.0
- version/oracle traffic director/11.1.1.7.0
- canonical/oracle vm server
- version/oracle vm server/3.2
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/5.0
- version/redhat enterprise linux desktop/6.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/5.9
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/5.0
- version/redhat enterprise linux server/6.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/5.9
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/5.0
- version/redhat enterprise linux workstation/6.0
- package-manager/redhat