CVE-2013-1620

Published: Feb 8, 2013Modified: Apr 29, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Affected (25)

Products: Mozilla: Network Security Services · Canonical: Ubuntu Linux · Oracle: Enterprise Manager Ops Center, Glassfish Communications Server, Glassfish Server, Iplanet Web Proxy Server, Iplanet Web Server, Opensso, Traffic Director, Vm Server · +1 more

Show all products

Mozilla: Network Security Services · Canonical: Ubuntu Linux · Oracle: Enterprise Manager Ops Center, Glassfish Communications Server, Glassfish Server, Iplanet Web Proxy Server, Iplanet Web Server, Opensso, Traffic Director, Vm Server · Redhat: Enterprise Linux Desktop, Enterprise Linux Eus, Enterprise Linux Server, Enterprise Linux Server Aus, Enterprise Linux Workstation

Mozilla

1 product

Network Security Services

Canonical

1 product

Ubuntu Linux

Oracle

8 products

Enterprise Manager Ops Center

Glassfish Communications Server

Glassfish Server

Iplanet Web Proxy Server

5 products

Enterprise Linux Desktop

Enterprise Linux Eus

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Workstation

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Network Security Services	Before 3.14.3

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 10.04
Canonical Ubuntu Linux	Version 11.10
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 12.10

Configuration C

12 vulnerable

Vulnerable Software	Affected Versions
Oracle Enterprise Manager Ops Center	Version 11.1
Oracle Enterprise Manager Ops Center	Version 12.1
Oracle Enterprise Manager Ops Center	Version 12.2
Oracle Glassfish Communications Server	Version 2.0
Oracle Glassfish Server	Version 2.1.1
Oracle Iplanet Web Proxy Server	Version 4.0
Oracle Iplanet Web Server	Version 6.1
Oracle Iplanet Web Server	Version 7.0
Oracle Opensso	Version 3.0-03
Oracle Traffic Director	Version 11.1.1.6.0
Oracle Traffic Director	Version 11.1.1.7.0
Oracle Vm Server	Version 3.2

Configuration D

8 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux Desktop	Version 5.0
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Eus	Version 5.9
Redhat Enterprise Linux Server	Version 5.0
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Server Aus	Version 5.9
Redhat Enterprise Linux Workstation	Version 5.0
Redhat Enterprise Linux Workstation	Version 6.0

Related CWEs

CWE-203

Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (38)

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761

Source: cve@mitre.org

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00009.html

Source: cve@mitre.org

Broken Link

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00010.html

Source: cve@mitre.org

Broken Link

http://openwall.com/lists/oss-security/2013/02/05/24

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://rhn.redhat.com/errata/RHSA-2013-1135.html

Source: cve@mitre.org

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2013-1144.html

Source: cve@mitre.org

Third Party Advisory

http://seclists.org/fulldisclosure/2014/Dec/23

Source: cve@mitre.org

Mailing ListThird Party Advisory

http://security.gentoo.org/glsa/glsa-201406-19.xml

Source: cve@mitre.org

Third Party Advisory

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

Source: cve@mitre.org

Technical DescriptionThird Party Advisory

http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/archive/1/534161/100/0/threaded

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/57777

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/64758

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.ubuntu.com/usn/USN-1763-1

Source: cve@mitre.org

Third Party Advisory

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

Source: cve@mitre.org

Third Party Advisory

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761