CVE-2013-2566

Published: Mar 15, 2013Modified: Apr 29, 2026

5.9

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.

Affected (26)

Products: Oracle: Communications Application Session Controller, Http Server, Integrated Lights Out Manager Firmware · Fujitsu: Sparc Enterprise M3000 Firmware, Sparc Enterprise M4000 Firmware, Sparc Enterprise M5000 Firmware, Sparc Enterprise M8000 Firmware, Sparc Enterprise M9000 Firmware, M10 1 Firmware, M10 4 Firmware, M10 4s Firmware · Canonical: Ubuntu Linux · +1 more

Show all products

Oracle

3 products

Communications Application Session Controller

Http Server

Integrated Lights Out Manager Firmware

Fujitsu

8 products

Sparc Enterprise M3000 Firmware

Sparc Enterprise M4000 Firmware

Sparc Enterprise M5000 Firmware

Sparc Enterprise M8000 Firmware

Sparc Enterprise M9000 Firmware

1 product

4 products

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Oracle Communications Application Session Controller	From 3.0.0 to 3.9.1
Oracle Http Server	Version 11.1.1.7.0
Oracle Http Server	Version 11.1.1.9.0
Oracle Http Server	Version 12.1.3.0.0
Oracle Http Server	Version 12.2.1.1.0
Oracle Http Server	Version 12.2.1.2.0
Oracle Integrated Lights Out Manager Firmware	From 3.0.0 to 3.2.11
Oracle Integrated Lights Out Manager Firmware	From 4.0.0 to 4.0.4

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu Sparc Enterprise M3000 Firmware	From xcp to xcp_1121

Running on/with	Platform Versions
Fujitsu Sparc Enterprise M3000	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu Sparc Enterprise M4000 Firmware	From xcp to xcp_1121

Running on/with	Platform Versions
Fujitsu Sparc Enterprise M4000	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu Sparc Enterprise M5000 Firmware	From xcp to xcp_1121

Running on/with	Platform Versions
Fujitsu Sparc Enterprise M5000	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu Sparc Enterprise M8000 Firmware	From xcp to xcp_1121

Running on/with	Platform Versions
Fujitsu Sparc Enterprise M8000	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu Sparc Enterprise M9000 Firmware	From xcp to xcp_1121

Running on/with	Platform Versions
Fujitsu Sparc Enterprise M9000	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu M10 1 Firmware	From xcp to xcp2280

Running on/with	Platform Versions
Fujitsu M10 1	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu M10 4 Firmware	From xcp to xcp2280

Running on/with	Platform Versions
Fujitsu M10 4	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Fujitsu M10 4s Firmware	From xcp to xcp2280

Running on/with	Platform Versions
Fujitsu M10 4s	All versions

Configuration J

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 12.10
Canonical Ubuntu Linux	Version 13.04
Canonical Ubuntu Linux	Version 13.10

Configuration K

6 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 17.0.11
Mozilla Firefox	Before 25.0.1
Mozilla Firefox	From 24.1.0 to 24.1.1
Mozilla Seamonkey	Before 2.22.1
Mozilla Thunderbird	Before 24.1.1
Mozilla Thunderbird Esr	Before 17.0.11

Related CWEs

CWE-326

Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

References (42)

http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html

Source: cve@mitre.org

Third Party Advisory

http://cr.yp.to/talks/2013.03.12/slides.pdf

Source: cve@mitre.org

Third Party Advisory

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

Source: cve@mitre.org

Third Party Advisory

http://marc.info/?l=bugtraq&m=143039468003789&w=2

Source: cve@mitre.org

Issue TrackingThird Party Advisory

http://my.opera.com/securitygroup/blog/2013/03/20/on-the-precariousness-of-rc4

Source: cve@mitre.org

Third Party Advisory

http://security.gentoo.org/glsa/glsa-201406-19.xml

Source: cve@mitre.org

Third Party Advisory

http://www.isg.rhul.ac.uk/tls/

Source: cve@mitre.org

Third Party Advisory

http://www.mozilla.org/security/announce/2013/mfsa2013-103.html

Source: cve@mitre.org

Third Party Advisory

http://www.opera.com/docs/changelogs/unified/1215/

Source: cve@mitre.org

Third Party Advisory

http://www.opera.com/security/advisory/1046

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Source: cve@mitre.org

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/bid/58796

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.ubuntu.com/usn/USN-2031-1

Source: cve@mitre.org

Third Party Advisory

http://www.ubuntu.com/usn/USN-2032-1

Source: cve@mitre.org

Third Party Advisory

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935

Source: cve@mitre.org

Third Party Advisory

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888

Source: cve@mitre.org

Third Party Advisory

https://security.gentoo.org/glsa/201504-01

Source: cve@mitre.org

Third Party Advisory

http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html