## Summary
A number of security vulnerabilities in IBM Cognos Express have been identified and addressed in a software update.
## Vulnerability Details
**CVE ID: ** [CVE-2013-5443](<https://vulners.com/cve/CVE-2013-5443>)
**DESCRIPTION:**
A Cross Site Request Forgery (CSRF) vulnerability in IBM Cognos Express allows an attacker that is able to trick an authenticated user into clicking or following a malicious link to perform actions they did not intend to.
**CVSS:**
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87819> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
**AFFECTED PLATFORMS:**
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
**REMEDIATION:**
The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.
* [Cognos Express 10.2.1 FP1](<http://www.ibm.com/support/docview.wss?uid=swg24037194>)
* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
**CVE ID: ** [CVE-2013-5445](<https://vulners.com/cve/CVE-2013-5445>)
**
**
**DESCRIPTION: **
Encrypted credentials can be remotely retrieved from the IBM Cognos Express server.
**CVSS: **
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87821> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
**AFFECTED PLATFORMS:**
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
**REMEDIATION:**
The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.
* [Cognos Express 10.2.1 FP1](<http://www.ibm.com/support/docview.wss?uid=swg24037194>)
* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
**CVE ID: ** [CVE-2013-5444](<https://vulners.com/cve/CVE-2013-5444>)
**DESCRIPTION: **
Encryption is unnecessarily weakened due to use of a static key which could assist an attacker with decrypting information they should not have access to.
**CVSS: **
CVSS Base Score: 1.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87820> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:N/A:N)
**AFFECTED PLATFORMS:**
IBM Cognos Express 10.2.1
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
**REMEDIATION:**
The recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical.
* [Cognos Express 10.2.1 FP1](<http://www.ibm.com/support/docview.wss?uid=swg24037194>)
* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
**CVE ID: ** [CVE-2013-2407](<https://vulners.com/cve/CVE-2013-2407>)
**DESCRIPTION:**
The IBM Java JRE used in IBM Cognos Express could allow an attacker that is able to send a specially crafted XML data to server to cause a denial of service.
**CVSS: **
CVSS Base Score: 6.4
CVSS Temporal Score: See CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/85044> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)
**AFFECTED PLATFORMS:**
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
**REMEDIATION:**
The recommended solution is to apply the fix in one of the versions listed.
* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
**CVE ID: ** [CVE-2013-2450](<https://vulners.com/cve/CVE-2013-2450>)
**DESCRIPTION:
**The IBM Java JRE used in IBM Cognos Express could allow an attacker that is able to send a specially crafted data to server to cause a denial of service.
**CVSS: **
CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/85057> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
**AFFECTED PLATFORMS:**
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
**REMEDIATION:**
The recommended solution is to apply the fix in one of the versions listed.
* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
**CVE ID: ** [CVE-2013-0169](<https://vulners.com/cve/CVE-2013-0169>)
**DESCRIPTION: **
The IBM Java JRE used in IBM Cognos Express is susceptible to a Transport Layer Security protocol (used in HTTPS) vulnerability known as "Lucky Thirteen." The vulnerability could allow remote attackers to conduct distinguishing and plain-text recovery attacks by statistically analyzing timing data for crafted packets.
**CVSS: **
CVSS Base Score: 4.3
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
**AFFECTED PLATFORMS:**
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
**REMEDIATION:**
The recommended solution is to apply the fix in one of the versions listed.
* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
**CVE ID: ** [CVE-2013-1478](<https://vulners.com/cve/CVE-2013-1478>)**
**
**DESCRIPTION: **
The IBM Java JRE used in IBM Cognos Express is susceptible to a unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability, related to 2D.
**CVSS: **
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81754>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
**AFFECTED PLATFORMS:**
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
**REMEDIATION:**
The recommended solution is to apply the fix in one of the versions listed.
* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
**CVE ID: ** [CVE-2013-1480](<https://vulners.com/cve/CVE-2013-1480>)
**DESCRIPTION:
**The IBM Java JRE used in IBM Cognos Express is susceptible to a unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability, related to AWT.
**CVSS: **
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81757>
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
**AFFECTED PLATFORMS:**
IBM Cognos Express 10.1
IBM Cognos Express 9.5
IBM Cognos Express 9.0
**REMEDIATION:**
The recommended solution is to apply the fix in one of the versions listed.
* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)
## Workarounds and Mitigations
None. Install the fixes as listed above.
##
{"id": "89826858CF10F9B56C50470B3C39DB96D911844221CFE9ED3E49161D3BCF5F04", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: Multiple vulnerabilities in IBM Cognos Express (CVE-2013-5443, CVE-2013-5445, CVE-2013-5444, CVE-2013-2407, CVE-2013-2450, CVE-2013-0169, CVE-2013-1478, CVE-2013-1480)", "description": "## Summary\n\nA number of security vulnerabilities in IBM Cognos Express have been identified and addressed in a software update.\n\n## Vulnerability Details\n\n**CVE ID: ** [CVE-2013-5443](<https://vulners.com/cve/CVE-2013-5443>) \n**DESCRIPTION:** \nA Cross Site Request Forgery (CSRF) vulnerability in IBM Cognos Express allows an attacker that is able to trick an authenticated user into clicking or following a malicious link to perform actions they did not intend to. \n \n**CVSS:** \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87819> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n**AFFECTED PLATFORMS:** \nIBM Cognos Express 10.2.1 \nIBM Cognos Express 10.1 \nIBM Cognos Express 9.5 \nIBM Cognos Express 9.0 \n \n**REMEDIATION:** \nThe recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical. \n \n\n\n* [Cognos Express 10.2.1 FP1](<http://www.ibm.com/support/docview.wss?uid=swg24037194>)\n* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n \n \n \n**CVE ID: ** [CVE-2013-5445](<https://vulners.com/cve/CVE-2013-5445>) \n** \n** \n**DESCRIPTION: ** \nEncrypted credentials can be remotely retrieved from the IBM Cognos Express server. \n \n**CVSS: ** \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87821> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n \n**AFFECTED PLATFORMS:** \nIBM Cognos Express 10.2.1 \nIBM Cognos Express 10.1 \nIBM Cognos Express 9.5 \nIBM Cognos Express 9.0 \n \n**REMEDIATION:** \nThe recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical. \n \n\n* [Cognos Express 10.2.1 FP1](<http://www.ibm.com/support/docview.wss?uid=swg24037194>)\n* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n \n \n**CVE ID: ** [CVE-2013-5444](<https://vulners.com/cve/CVE-2013-5444>) \n \n \n**DESCRIPTION: ** \nEncryption is unnecessarily weakened due to use of a static key which could assist an attacker with decrypting information they should not have access to. \n \n**CVSS: ** \nCVSS Base Score: 1.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87820> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:L/AC:M/Au:N/C:P/I:N/A:N) \n \n**AFFECTED PLATFORMS:** \nIBM Cognos Express 10.2.1 \nIBM Cognos Express 10.1 \nIBM Cognos Express 9.5 \nIBM Cognos Express 9.0 \n \n**REMEDIATION:** \nThe recommended solution is to apply the fix in one of the 9.0-10.1 versions listed or apply the fix to the 10.2.1 version as soon as practical. \n \n\n* [Cognos Express 10.2.1 FP1](<http://www.ibm.com/support/docview.wss?uid=swg24037194>)\n* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n \n \n \n**CVE ID: ** [CVE-2013-2407](<https://vulners.com/cve/CVE-2013-2407>) \n \n \n**DESCRIPTION:** \nThe IBM Java JRE used in IBM Cognos Express could allow an attacker that is able to send a specially crafted XML data to server to cause a denial of service. \n \n**CVSS: ** \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/85044> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) \n \n**AFFECTED PLATFORMS:** \nIBM Cognos Express 10.1 \nIBM Cognos Express 9.5 \nIBM Cognos Express 9.0 \n \n**REMEDIATION:** \nThe recommended solution is to apply the fix in one of the versions listed. \n \n\n* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n \n \n \n**CVE ID: ** [CVE-2013-2450](<https://vulners.com/cve/CVE-2013-2450>) \n \n \n**DESCRIPTION: \n**The IBM Java JRE used in IBM Cognos Express could allow an attacker that is able to send a specially crafted data to server to cause a denial of service. \n \n**CVSS: ** \nCVSS Base Score: 5 \nCVSS Temporal Score: See CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/85057> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**AFFECTED PLATFORMS:** \nIBM Cognos Express 10.1 \nIBM Cognos Express 9.5 \nIBM Cognos Express 9.0 \n \n**REMEDIATION:** \nThe recommended solution is to apply the fix in one of the versions listed. \n \n\n* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n \n \n**CVE ID: ** [CVE-2013-0169](<https://vulners.com/cve/CVE-2013-0169>) \n \n \n**DESCRIPTION: ** \nThe IBM Java JRE used in IBM Cognos Express is susceptible to a Transport Layer Security protocol (used in HTTPS) vulnerability known as \"Lucky Thirteen.\" The vulnerability could allow remote attackers to conduct distinguishing and plain-text recovery attacks by statistically analyzing timing data for crafted packets. \n \n**CVSS: ** \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**AFFECTED PLATFORMS:** \nIBM Cognos Express 10.1 \nIBM Cognos Express 9.5 \nIBM Cognos Express 9.0 \n \n**REMEDIATION:** \nThe recommended solution is to apply the fix in one of the versions listed. \n \n\n* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n \n \n \n**CVE ID: ** [CVE-2013-1478](<https://vulners.com/cve/CVE-2013-1478>)** \n** \n \n**DESCRIPTION: ** \nThe IBM Java JRE used in IBM Cognos Express is susceptible to a unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability, related to 2D. \n \n**CVSS: ** \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81754> \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**AFFECTED PLATFORMS:** \nIBM Cognos Express 10.1 \nIBM Cognos Express 9.5 \nIBM Cognos Express 9.0 \n \n**REMEDIATION:** \nThe recommended solution is to apply the fix in one of the versions listed. \n \n\n* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n \n \n \n**CVE ID: ** [CVE-2013-1480](<https://vulners.com/cve/CVE-2013-1480>) \n \n \n**DESCRIPTION: \n**The IBM Java JRE used in IBM Cognos Express is susceptible to a unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability, related to AWT. \n \n**CVSS: ** \nCVSS Base Score: 10 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81757> \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n**AFFECTED PLATFORMS:** \nIBM Cognos Express 10.1 \nIBM Cognos Express 9.5 \nIBM Cognos Express 9.0 \n \n**REMEDIATION:** \nThe recommended solution is to apply the fix in one of the versions listed. \n \n\n* [Cognos Express 10.1 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.5 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n* [Cognos Express 9.0 Interim Fix 2 (IFIX 2)](<http://www.ibm.com/support/docview.wss?uid=swg24037193>)\n \n \n\n\n## Workarounds and Mitigations\n\nNone. Install the fixes as listed above.\n\n## ", "published": "2022-11-10T12:06:25", "modified": "2022-11-10T12:06:25", "epss": [{"cve": "CVE-2013-0169", "epss": 0.00536, "percentile": 0.73943, "modified": "2023-06-19"}, {"cve": "CVE-2013-1478", "epss": 0.09329, "percentile": 0.93837, "modified": "2023-06-19"}, {"cve": "CVE-2013-1480", "epss": 0.06284, "percentile": 0.92567, "modified": "2023-06-19"}, {"cve": "CVE-2013-2407", "epss": 0.08936, "percentile": 0.9371, "modified": "2023-06-23"}, {"cve": "CVE-2013-2450", "epss": 0.09117, "percentile": 0.93773, "modified": "2023-06-23"}, {"cve": "CVE-2013-5443", "epss": 0.00094, "percentile": 0.387, "modified": "2023-06-23"}, {"cve": "CVE-2013-5444", "epss": 0.00204, "percentile": 0.57168, "modified": "2023-06-23"}, {"cve": "CVE-2013-5445", "epss": 0.00127, "percentile": 0.4623, "modified": "2023-06-23"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {}, "href": "https://www.ibm.com/support/pages/node/242159", "reporter": "IBM", "references": [], "cvelist": ["CVE-2013-0169", "CVE-2013-1478", "CVE-2013-1480", "CVE-2013-2407", "CVE-2013-2450", "CVE-2013-5443", "CVE-2013-5444", "CVE-2013-5445"], "immutableFields": [], "lastseen": "2023-06-24T05:53:01", "viewCount": 12, "enchantments": {"affected_software": {"major_version": [{"name": "ibm planning analytics express", "version": 9}, {"name": "ibm planning analytics express", "version": 9}, {"name": "ibm planning analytics express", "version": 10}, {"name": "ibm planning analytics express", "version": 10}]}, "dependencies": {"references": [{"type": "aix", "idList": ["OPENSSH_ADVISORY2.ASC", "OPENSSL_ADVISORY5.ASC"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2016-2107", "ALPINE:CVE-2018-0497"]}, {"type": "altlinux", "idList": ["39DBB4D94511FCA7FDA51A77CFC51473", "7D3BBDC21038EFD8B1902BE7C13DF0E4", "86333ABC5C9649A16C2D01CDB74BE5C4", "F69337A7FACE56FE25E8F0492906D4BA", "FB75E7F7060485250B21CEA7891ABBD6"]}, {"type": "amazon", "idList": ["ALAS-2013-155", "ALAS-2013-156", "ALAS-2013-162", "ALAS-2013-163", "ALAS-2013-171", "ALAS-2013-204", "ALAS-2013-207", "ALAS-2014-320"]}, {"type": "archlinux", "idList": ["ASA-201605-3", "ASA-201605-4"]}, {"type": "centos", "idList": ["CESA-2013:0245", "CESA-2013:0246", "CESA-2013:0247", "CESA-2013:0273", "CESA-2013:0274", "CESA-2013:0275", "CESA-2013:0587", "CESA-2013:0957", "CESA-2013:0958", "CESA-2013:1014"]}, {"type": "cert", "idList": ["VU:737740", "VU:858729"]}, {"type": "cve", "idList": ["CVE-2013-0169", "CVE-2013-1478", "CVE-2013-1480", "CVE-2013-1618", "CVE-2013-1619", "CVE-2013-1620", "CVE-2013-1621", "CVE-2013-1623", "CVE-2013-1624", "CVE-2013-2116", "CVE-2013-2407", "CVE-2013-2450", "CVE-2013-5443", "CVE-2013-5444", "CVE-2013-5445", "CVE-2016-2107", "CVE-2018-0497"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1518-1:A6705", "DEBIAN:DLA-1518-1:EF500", "DEBIAN:DSA-2621-1:52BC0", "DEBIAN:DSA-2622-1:EE504", "DEBIAN:DSA-2722-1:0F82B", "DEBIAN:DSA-2727-1:34891"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2013-0169", "DEBIANCVE:CVE-2013-1619", "DEBIANCVE:CVE-2013-1620", "DEBIANCVE:CVE-2013-1624", "DEBIANCVE:CVE-2016-2107", "DEBIANCVE:CVE-2018-0497"]}, {"type": "f5", "idList": ["F5:K14190", "F5:K15622", "F5:K15630", "F5:K15637", "F5:K93600123", "SOL14190", "SOL15630", "SOL15637", "SOL15721", "SOL93600123"]}, {"type": "fedora", "idList": ["FEDORA:2A3D62083D", "FEDORA:32C0C208B4", "FEDORA:3B8F6208CD", "FEDORA:5F614206D5", "FEDORA:811AA20A83", "FEDORA:A2D5520A3D", "FEDORA:BA848210A3", "FEDORA:C01F021E98", "FEDORA:C041720764", "FEDORA:C5762206E3", "FEDORA:C6E3221DBD"]}, {"type": "freebsd", "idList": ["00B0D8CD-7097-11E2-98D9-003067C2616F", "69BFC852-9BD0-11E2-A7BE-8C705AF55518"]}, {"type": "freebsd_advisory", "idList": ["FREEBSD_ADVISORY:FREEBSD-SA-13:03.OPENSSL"]}, {"type": "gentoo", "idList": ["GLSA-201310-10", "GLSA-201312-03", "GLSA-201401-30", "GLSA-201406-32"]}, {"type": "github", "idList": ["GHSA-8353-FGCR-XFHX"]}, {"type": "hackerone", "idList": ["H1:255041"]}, {"type": "ibm", "idList": ["094C676690DD74F0A877C604DAE40B5DBAAF1713090F5D65D95FB5F47C419C9C", "0A2F4509B2B4AFE8F720A6AF92997F57DF2C869B533D164E26BFB106E3AA5DC4", "0CA57BDC2A5B29D7A05B000C9F4660CECD108471C93FE144B5B5B7B541E5DB80", "109B2E937B3A410E66933C6F6054D7A86640DE62C0F3587F9E376863C105A750", "1490E64B6C89A28FE7D82BD31871B5BCF0AA0EDCD3A3B483DF42E4A809F821F4", "156ABB708D86708BE78899495A471B74D0DAE6D8C76ABBB93EDAA5C1FACC0C3B", "1643D6D42AA03B195E5B38E5C611550B5917ADFCFB91A4CEE3FA17D822F63866", "17F2DE1F272EBF8E1F0E16B3A3D0C121D7F53002360A33B2E318E8910C665E9D", "1C551C877DFFA66B0623C95693FBE991A11A9D99C3C26E971DC816B27098E8DD", "1DC07A0D55B7A80CC113705F5AC959B481D7887A5F8E78D4C385F1E6F419597B", "1DC0A9C6D3EFE4EEA571DAAA9286B8F974D5ECF8F3BAAA188781D697B6DC2546", "1DD17DFA982ED4D61FB750115CB0EF37D8B00E016AE5F0F656377426A5C4EE18", "1F28273F958E55F6FE1789A83C92EDED4F2AAA3B9D872DA2CEAA127470C88CCE", "236329FBB4C57928A51AF5989855EBBE8AEFC2496ED2345E1CE8C703B7EA9BD5", "2888C8C51406BDD1DDB129FA2FD21486139C2B46881E4BF8D52B96F286B243B4", "2B78B04E1B05B5FDC855699C48DD68CEC5D178C2E12FF2B66C74260C3F707FC5", "2B824167DC3985A17D4B9DD3CF5905F8AAE0DB7D3312C2CC8E1D8F708BFCC90D", "2E91EF7A9948535BD27257CCBF7A6470F5ADBFCFAE1D0B1F706C76B9FF03241A", "31C0AFB718E47F2565BB2125DFEA05544B924823108F7C7BE892843715FA5571", "322619DE13AD7AE40C87D0499D49F5FD2A44C7972AD6C9A81CD50939DF001639", "3258D879016CCEB97F8F543943D502B2C423771C5D452641CB88919F035248B5", "3B57923CAB505EF521BBA172A4E2D8A03F9751E11D84F9D7571E2F66E3F439C9", "3B62C98A59803E5E4423ADB1E9891A3D0549BB751A0F2839E05E54D95917860C", "3D0BC65439AE2C6207784D85D50B1217AFC4355059DD4B08B7D876C83FA00ACE", "3E12BA2CA4DE8574522B4094594F36E64FC844217879773183FA9455EC8D7C55", "3F34D8EA25B1CFED1F77BE0A29D70083D293CF0532267E430A4F453410CE1576", "42CDE43C2F08FD3C2E311B9F3BB48950BDFCDDA3BF0F895A9FF7750A3690B573", "43B76C333A7576029A83B6169787B1ACB6CA6F7F5FB81FE4498044B211FB42E4", "474383EC7932F456FF11851996BAA76765D90113FA098C62CA6E0DE8A1088855", "476070037D8C6B95A023CADE7B7B8E36D86FE85A0AE9BDFC8D5FB131FC5DB6F9", "48C1F15C09B1F7BDA80A9EFEADECD71756B3E935BF8D2C49D4EBF682961DBB6E", "4B79D8EB462A55A962C272FC6E71910088E63C9F67E0839F26A4A73F042A12DF", "4E588C74A55CD9FFE957FBF604B06826EB4B08A52741A2D771A96FB3782D2303", "511A2CEA23CFB8B15C62F78EE3A158E3C8F986D7D0E152D292B641365BBD08F1", "51A25EC520455269A79F9DDA6AEB73FB003F12BAA0B35BFB5A6A50A403534F59", "540B5BFC7425C0A1AEC2AE0E39CAFAA87610B3C5A51646F532BF2994455918B4", "5474D79847A3FCE81B76D3A3025062B823503D87AA571209B4C33FF248E4D056", "5791D1CE1402BA2CCCB885DE108E94B6A0D7E17C594791D10D2118C7AD239041", "5A1CA3A0E7F7A53B001844967849D6C6C96B905BD4AA80A3BDD787CD94067217", "5DDB5CECEC283344BB3F493BC01FBE017DB8DDFB43CB94DFA49BBFFB5437AC29", "618A72A7D08892ADCD819AD422F802E0F22DD66F0926AF2D81288E8865A68EFC", "61C29B2018A4B8DC7247FEB87D67D749F5AB58D20D16FB7F0426B1B9762B49FF", "630F07BCFBA91233BBB559ED997B4656AF3D22DB4D916E90B078150D1E4475A5", "635552E99951D8D5AEBD584BBE0C8D1EBBAE770AEE83BA96CDC88B692C2A1891", "65F855CBB6E474F39746F43DB188D7D6BFF25111F9027E1DC2947DAACA0066DC", "66CBA83FF8DB4B1480B110763AD607AB3CE8490A3D98399E9C813B066837800F", "69F32F166EB30A983D321FEF01D6359F9C720CB30502BC0DC1A0C7C9E4BECE5F", "7395B8BB0E921EA44FC2DA34DC1642BF4297981E52ABAF79CE1C5A075991C089", "7657AB8E9AC9E04C2A3E8106D178B61FA9C47F6720A6C18CE94D1DFB2ABE8793", "76B052C00B7D3B7660A204A6BD72087C4E84FB5E8C7CEA95BE48BBACC2FC5AD0", "7BA745D5E73DB0357EF4DBFC0D8A2DB4DA2A4CEC7B1D7138B96712A2B403839C", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "80952E481DBBFE075E1E11F8AE4B7BDB89FD8CB66DFBE913C231D73EF1E5C852", "88C6B153E8539F010657B5F23ADB7EC58D8F5DE163EBE45D240E77FC480565B5", "893B4BFAF96F5CCE46A3F4BB145D13A37B810A30BC0EF9EEB46E92F43F2965B9", "8FB0EF2BC912FEF8086EDA6A85F6EADBA8F6FD58431B3D97965CB05312955112", "915F25F9D4BBEE1CAACAA6F5FD6ACC3E18033BE658B9A06B8B13ACD613C9B6FD", "96302C1466344A1E09AD9F8BD313E146404CBA442EC8A168D06F9F19721F34E8", "9767587F564D9C9625F74EB5AC595ABB7605EE6BA3253E7CAEBC767879A17130", "987BEE6268C1A52022A53F4D59CBE7267D152B195006E1332C75EEE40B776783", "9C1F47AF22D3FE94B849B30F92E5DF03ECA2B7ADBF7975CC80E0E36479905E36", "9EB202E5169E83CA3DE86AF32B2513BB89B1A82D62E1E66F378A15560B279609", "9F83ED7D961B69342BBB0C4157AF6D1AD1EF3528F0C8EC1218A10D5B884F6B87", "A5137BA80934878703E513A2E2362BDF3EE170D02FF731389CA4911F76DACF16", "A866252B75E912D0B0730469904A7C2D30F443084DF2C8AC2265ED850925178B", "ABEB10FAE05FC24F89DEF01481AC39609E9B6830F4501FB4E71427C5078B01EE", "ACD785EFFF948519FD0D49C90B1E5FD1AC79B738AC42DC13E0C51385CE4CE9AB", "AD3DEE6A50AC4F6651955CE510E56DC0170683854BF573E9389CCA2769B638B1", "ADCCD07ABE84A7FC8550F577A3823CD6D29F46A50A4065FB573165CDF08E84E1", "B2A692687E0D397416E3549B4377E5B3319BF086A451607250B307F6DEECCF53", "B8CDE2E20BC16C41FC85BA2A86684E11CDAD295FBFA9F508C045F715A67AC321", "BA5FC59AD4CA540F948C75EA478904F8A2D0A949B970697DAED42B661E911F37", "BC14F6832E7A855373319126E5CF0A69CAAC1369B245AE25C03158E47AD57D0A", "BE9A67BD9BDD24F3FA830A98F5DC10D0C03A55261ED483855170AC3FF8B34B20", "BECC6F55C479899394C948B41D1583923FD81FCFF2601C2F611481DF3DC4A086", "C43295EDCDB671C41F9E96483F5E89378A947A89F40869B467F309DBF973E6B7", "C44E07EA5086C9BEBD0E896839F7E52E6DE1B379F604FBD6F4A29FB1A0D32827", "C4FDDC1384D8FD0DDE8B004DBBC87A757834460AE92B55B9C87335F27F45968F", "C53887B5065E8CBF2E75B8207E4CC5546F907715375F0C60DDEEACFD8829F5D5", "C84B4AF1E4DFDAA1D01B212AB48E59FAE64DCE886C1682502F098ED789D47987", "C886374FAD3679EE6A5BD963F389F833A405B75137FC01C5D8C98D9F3D152423", "CB8C3B738F38745C5B57C0DA3F05DADCF513EF6086091B71D291C2300F0DCD7D", "CFB76C7955286783207A10F8AD81EE581F67A422A7BCC33041BABFA8A0EAE5C1", "D09ABF92F9241537F2411A406C8EBC7E6385C510450FCBD8E4BEA2A58ED1A1F8", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "E05BB8F45DC047A2895F7AC85F4B8A9F55D22D985F0D4F65E95F3141873851DC", "E56E2B116EDD9B36BA0E0A6BEA7E46A462817EFD720A53E8AAFDF37AE51F6FF6", "E59ACF3695AD2CD789F134AAEEB562DA1F3666F9F39B6C6075E68D3EB0B3D646", "E807324C5E086363AD4484F48FAC20F17946148F82B1FD2BEB5F79FF92D4D4EB", "E9DA194448794AF1B23D93C4E29F91BF89DFB6B4B3FE0F10E5AC715596720FB9", "EB78AC88FE6A72527EF5ACB39A0504C53E5B30DCCE48B2F5DC306B16DB8824D2", "EE216EF5D81838DBD9885BCCAD28FE9FA806673A7B6C6F9FD4DC5F95C8DC1B7C", "F0797625BE52E1B6EE33F6C12876F26D0416949114C3B38ABE4260DAF2DB6011", "F0DE6E4E0B989C212565A180164B3116C1C0A2058857C3A677B778E4539132ED", "F5B4855A2BDF3424779D9A7DEEC69330CBD0503AFAA4BF2D919922C8B5B9AAE7", "F6BF964257D9117951117EACB7D0B6AB86CADA510E6E8CC1798F11D49A2CE23B", "F9CC95E70A9161C3B608A1B574CD3163423445BE11BF9B52BFC0E69641BB32D2", "FB5FC638F0F9678EB3E47AF62A74BAF20709E94BB9ADB83967699806B344DB3C", "FD7351ECB85A42C62F9023BAC5EEEAF6CF37D6FC6389D561479E0D751AD3BA8F", "FE752375F93FC92B2A9739798BAB02AD01A97863DA8F24EEBD0ACD3ABB213574", "FFCC3373408F02CC542763623853BD92D404CF7A56813566A2A692A6EC5C572D"]}, {"type": "ics", "idList": ["ICSA-19-192-04", "ICSA-22-097-01", "ICSA-22-349-21"]}, {"type": "mageia", "idList": ["MGASA-2013-0185", "MGASA-2013-0208", "MGASA-2013-0290"]}, {"type": "nessus", "idList": ["6868.PRM", "801052.PRM", "AIX_OPENSSL_ADVISORY5.NASL", "ALA_ALAS-2013-155.NASL", "ALA_ALAS-2013-156.NASL", "ALA_ALAS-2013-162.NASL", "ALA_ALAS-2013-163.NASL", "ALA_ALAS-2013-171.NASL", "ALA_ALAS-2013-204.NASL", "ALA_ALAS-2013-207.NASL", "CENTOS_RHSA-2013-0245.NASL", "CENTOS_RHSA-2013-0246.NASL", "CENTOS_RHSA-2013-0247.NASL", "CENTOS_RHSA-2013-0273.NASL", "CENTOS_RHSA-2013-0274.NASL", "CENTOS_RHSA-2013-0275.NASL", "CENTOS_RHSA-2013-0587.NASL", "CENTOS_RHSA-2013-0957.NASL", "CENTOS_RHSA-2013-0958.NASL", "CENTOS_RHSA-2013-1014.NASL", "DB2_101FP3A.NASL", "DB2_97FP9.NASL", "DEBIAN_DLA-1518.NASL", "DEBIAN_DSA-2621.NASL", "DEBIAN_DSA-2622.NASL", "DEBIAN_DSA-2722.NASL", "DEBIAN_DSA-2727.NASL", "DOMINO_8_5_3FP5.NASL", "DOMINO_9_0_1.NASL", "EULEROS_SA-2019-1547.NASL", "F5_BIGIP_SOL14190.NASL", "F5_BIGIP_SOL15630.NASL", "F5_BIGIP_SOL15637.NASL", "F5_BIGIP_SOL93600123.NASL", "FEDORA_2013-1898.NASL", "FEDORA_2013-2188.NASL", "FEDORA_2013-2197.NASL", "FEDORA_2013-2205.NASL", "FEDORA_2013-2209.NASL", "FEDORA_2013-2793.NASL", "FEDORA_2013-2834.NASL", "FEDORA_2013-4403.NASL", "FREEBSD_PKG_00B0D8CD709711E298D9003067C2616F.NASL", "FREEBSD_PKG_69BFC8529BD011E2A7BE8C705AF55518.NASL", "GENTOO_GLSA-201310-10.NASL", "GENTOO_GLSA-201312-03.NASL", "GENTOO_GLSA-201401-30.NASL", "GENTOO_GLSA-201406-32.NASL", "IBM_GSKIT_SWG21638270.NASL", "IBM_HTTP_SERVER_491407.NASL", "IBM_TEM_8_2_1372.NASL", "IBM_TSM_SERVER_5_5_X.NASL", "IBM_TSM_SERVER_6_1_X.NASL", "IBM_TSM_SERVER_6_2_6_0.NASL", "IBM_TSM_SERVER_6_3_4_200.NASL", "IPSWITCH_IMAIL_12_3.NASL", "JUNIPER_JSA10575.NASL", "JUNIPER_NSM_JSA10642.NASL", "JUNIPER_SPACE_JSA10659.NASL", "JUNOS_PULSE_JSA10591.NASL", "LOTUS_DOMINO_8_5_3_FP5.NASL", "LOTUS_DOMINO_9_0_1.NASL", "LOTUS_NOTES_8_5_3_FP5.NASL", "MACOSX_10_8_5.NASL", "MACOSX_JAVA_10_6_UPDATE12.NASL", "MACOSX_JAVA_10_6_UPDATE16.NASL", "MACOSX_JAVA_2013-001.NASL", "MACOSX_JAVA_2013-004.NASL", "MACOSX_SECUPD2013-004.NASL", "MANDRIVA_MDVSA-2013-010.NASL", "MANDRIVA_MDVSA-2013-014.NASL", "MANDRIVA_MDVSA-2013-050.NASL", "MANDRIVA_MDVSA-2013-052.NASL", "MANDRIVA_MDVSA-2013-095.NASL", "MANDRIVA_MDVSA-2013-183.NASL", "NEWSTART_CGSL_NS-SA-2019-0020_OPENSSL098E.NASL", "NEWSTART_CGSL_NS-SA-2019-0033_NSS.NASL", "OPENSSL_0_9_8Y.NASL", "OPENSSL_1_0_0K.NASL", "OPENSSL_1_0_1D.NASL", "OPENSSL_1_0_1E.NASL", "OPENSUSE-2013-153.NASL", "OPENSUSE-2013-154.NASL", "OPENSUSE-2013-164.NASL", "OPENSUSE-2013-165.NASL", "OPENSUSE-2013-622.NASL", "OPENSUSE-2016-294.NASL", "ORACLELINUX_ELSA-2013-0245.NASL", "ORACLELINUX_ELSA-2013-0246.NASL", "ORACLELINUX_ELSA-2013-0247.NASL", "ORACLELINUX_ELSA-2013-0273.NASL", "ORACLELINUX_ELSA-2013-0274.NASL", "ORACLELINUX_ELSA-2013-0275.NASL", "ORACLELINUX_ELSA-2013-0587.NASL", "ORACLELINUX_ELSA-2013-0957.NASL", "ORACLELINUX_ELSA-2013-0958.NASL", "ORACLELINUX_ELSA-2013-1014.NASL", "ORACLEVM_OVMSA-2014-0007.NASL", "ORACLEVM_OVMSA-2014-0008.NASL", "ORACLE_JAVA_CPU_FEB_2013.NASL", "ORACLE_JAVA_CPU_FEB_2013_1.NASL", "ORACLE_JAVA_CPU_FEB_2013_1_UNIX.NASL", "ORACLE_JAVA_CPU_FEB_2013_UNIX.NASL", "ORACLE_JAVA_CPU_JUN_2013.NASL", "ORACLE_JAVA_CPU_JUN_2013_UNIX.NASL", "ORACLE_RDBMS_CPU_OCT_2013.NASL", "REDHAT-RHSA-2013-0236.NASL", "REDHAT-RHSA-2013-0237.NASL", "REDHAT-RHSA-2013-0245.NASL", "REDHAT-RHSA-2013-0246.NASL", "REDHAT-RHSA-2013-0247.NASL", "REDHAT-RHSA-2013-0273.NASL", "REDHAT-RHSA-2013-0274.NASL", "REDHAT-RHSA-2013-0275.NASL", "REDHAT-RHSA-2013-0531.NASL", "REDHAT-RHSA-2013-0532.NASL", "REDHAT-RHSA-2013-0587.NASL", "REDHAT-RHSA-2013-0624.NASL", "REDHAT-RHSA-2013-0625.NASL", "REDHAT-RHSA-2013-0626.NASL", "REDHAT-RHSA-2013-0636.NASL", "REDHAT-RHSA-2013-0822.NASL", "REDHAT-RHSA-2013-0823.NASL", "REDHAT-RHSA-2013-0833.NASL", "REDHAT-RHSA-2013-0855.NASL", "REDHAT-RHSA-2013-0957.NASL", "REDHAT-RHSA-2013-0958.NASL", "REDHAT-RHSA-2013-0963.NASL", "REDHAT-RHSA-2013-1014.NASL", "REDHAT-RHSA-2013-1059.NASL", "REDHAT-RHSA-2013-1060.NASL", "REDHAT-RHSA-2013-1081.NASL", "REDHAT-RHSA-2013-1455.NASL", "REDHAT-RHSA-2013-1456.NASL", "REDHAT-RHSA-2014-0414.NASL", "REDHAT-RHSA-2014-0416.NASL", "SLACKWARE_SSA_2013-040-01.NASL", "SL_20130205_JDK_1_6_0_ON_SL_5_0.NASL", "SL_20130208_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "SL_20130208_JAVA_1_6_0_OPENJDK_ON_SL6_X.NASL", "SL_20130208_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "SL_20130304_OPENSSL_ON_SL5_X.NASL", "SL_20130620_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL", "SL_20130620_JAVA_1_7_0_OPENJDK_ON_SL6_X.NASL", "SL_20130703_JAVA_1_6_0_OPENJDK_ON_SL5_X.NASL", "SOLARIS11_GNUTLS_20130924.NASL", "SOLARIS11_NSS_20140809.NASL", "SOLARIS11_OPENSSL_20130716.NASL", "SPLUNK_503.NASL", "STUNNEL_4_55.NASL", "SUSE_11_COMPAT-OPENSSL097G-141202.NASL", "SUSE_11_JAVA-1_4_2-IBM-130306.NASL", "SUSE_11_JAVA-1_4_2-IBM-130723.NASL", "SUSE_11_JAVA-1_6_0-IBM-130312.NASL", "SUSE_11_JAVA-1_6_0-IBM-130416.NASL", "SUSE_11_JAVA-1_6_0-IBM-130723.NASL", "SUSE_11_JAVA-1_6_0-OPENJDK-130212.NASL", "SUSE_11_JAVA-1_6_0-OPENJDK-130221.NASL", "SUSE_11_JAVA-1_6_0-OPENJDK-130718.NASL", "SUSE_11_JAVA-1_7_0-IBM-130306.NASL", "SUSE_11_JAVA-1_7_0-IBM-130415.NASL", "SUSE_11_JAVA-1_7_0-IBM-130723.NASL", "SUSE_11_JAVA-1_7_0-OPENJDK-130719.NASL", "SUSE_11_LIBOPENSSL-DEVEL-130325.NASL", "SUSE_JAVA-1_4_2-IBM-8481.NASL", "SUSE_JAVA-1_4_2-IBM-8652.NASL", "SUSE_JAVA-1_5_0-IBM-8483.NASL", "SUSE_JAVA-1_5_0-IBM-8653.NASL", "SUSE_JAVA-1_6_0-IBM-8495.NASL", "SUSE_JAVA-1_6_0-IBM-8544.NASL", "SUSE_JAVA-1_6_0-IBM-8657.NASL", "SUSE_OPENSSL-8517.NASL", "SUSE_SU-2013-1256-1.NASL", "TIVOLI_DIRECTORY_SVR_SWG21638270.NASL", "UBUNTU_USN-1724-1.NASL", "UBUNTU_USN-1732-1.NASL", "UBUNTU_USN-1732-2.NASL", "UBUNTU_USN-1732-3.NASL", "UBUNTU_USN-1735-1.NASL", "UBUNTU_USN-1907-1.NASL", "UBUNTU_USN-1907-2.NASL", "UBUNTU_USN-1908-1.NASL", "VMWARE_ESXI_5_0_BUILD_1311177_REMOTE.NASL", "VMWARE_ESXI_5_1_BUILD_1483097_REMOTE.NASL", "VMWARE_ESX_VMSA-2013-0009_REMOTE.NASL", "VMWARE_ESX_VMSA-2013-0012_REMOTE.NASL", "VMWARE_VCENTER_VMSA-2013-0012.NASL", "VMWARE_VMSA-2013-0009.NASL", "WEBSPHERE_6_1_0_47.NASL", "WEBSPHERE_7_0_0_29.NASL", "WEBSPHERE_8_0_0_6.NASL", "WEBSPHERE_8_0_0_7.NASL", "WEBSPHERE_8_5_0_2.NASL", "WEBSPHERE_8_5_5.NASL"]}, {"type": "openssl", "idList": ["OPENSSL:CVE-2013-0169", "OPENSSL:CVE-2016-2107"]}, {"type": "openvas", "idList": ["OPENVAS:103749", "OPENVAS:103872", "OPENVAS:1361412562310103749", "OPENVAS:1361412562310103872", "OPENVAS:1361412562310105413", "OPENVAS:1361412562310120022", "OPENVAS:1361412562310120023", "OPENVAS:1361412562310120209", "OPENVAS:1361412562310120234", "OPENVAS:1361412562310120237", "OPENVAS:1361412562310120390", "OPENVAS:1361412562310120391", "OPENVAS:1361412562310120555", "OPENVAS:1361412562310121048", "OPENVAS:1361412562310121084", "OPENVAS:1361412562310121127", "OPENVAS:1361412562310121235", "OPENVAS:1361412562310123602", "OPENVAS:1361412562310123607", "OPENVAS:1361412562310123608", "OPENVAS:1361412562310123684", "OPENVAS:1361412562310123719", "OPENVAS:1361412562310123720", "OPENVAS:1361412562310123721", "OPENVAS:1361412562310123727", "OPENVAS:1361412562310123728", "OPENVAS:1361412562310123729", "OPENVAS:1361412562310803307", "OPENVAS:1361412562310803821", "OPENVAS:1361412562310803822", "OPENVAS:1361412562310841310", "OPENVAS:1361412562310841323", "OPENVAS:1361412562310841327", "OPENVAS:1361412562310841348", "OPENVAS:1361412562310841378", "OPENVAS:1361412562310841505", "OPENVAS:1361412562310841509", "OPENVAS:1361412562310841510", "OPENVAS:1361412562310850410", "OPENVAS:1361412562310850412", "OPENVAS:1361412562310850419", "OPENVAS:1361412562310851223", "OPENVAS:1361412562310865325", "OPENVAS:1361412562310865329", "OPENVAS:1361412562310865336", "OPENVAS:1361412562310865337", "OPENVAS:1361412562310865341", "OPENVAS:1361412562310865421", "OPENVAS:1361412562310865434", "OPENVAS:1361412562310865516", "OPENVAS:1361412562310866899", "OPENVAS:1361412562310866977", "OPENVAS:1361412562310870904", "OPENVAS:1361412562310870905", "OPENVAS:1361412562310870906", "OPENVAS:1361412562310870916", "OPENVAS:1361412562310870924", "OPENVAS:1361412562310870926", "OPENVAS:1361412562310870944", "OPENVAS:1361412562310871009", "OPENVAS:1361412562310871010", "OPENVAS:1361412562310871015", "OPENVAS:1361412562310881595", "OPENVAS:1361412562310881596", "OPENVAS:1361412562310881597", "OPENVAS:1361412562310881598", "OPENVAS:1361412562310881602", "OPENVAS:1361412562310881606", "OPENVAS:1361412562310881610", "OPENVAS:1361412562310881611", "OPENVAS:1361412562310881620", "OPENVAS:1361412562310881669", "OPENVAS:1361412562310881751", "OPENVAS:1361412562310881752", "OPENVAS:1361412562310881761", "OPENVAS:1361412562310881762", "OPENVAS:1361412562310891518", "OPENVAS:1361412562310892621", "OPENVAS:1361412562310892622", "OPENVAS:1361412562310892722", "OPENVAS:1361412562310892727", "OPENVAS:1361412562311220191547", "OPENVAS:803307", "OPENVAS:803821", "OPENVAS:803822", "OPENVAS:841310", "OPENVAS:841323", "OPENVAS:841327", "OPENVAS:841348", "OPENVAS:841378", "OPENVAS:841505", "OPENVAS:841509", "OPENVAS:841510", "OPENVAS:850410", "OPENVAS:850412", "OPENVAS:850419", "OPENVAS:865325", "OPENVAS:865329", "OPENVAS:865336", "OPENVAS:865337", "OPENVAS:865341", "OPENVAS:865421", "OPENVAS:865434", "OPENVAS:865516", "OPENVAS:866899", "OPENVAS:866977", "OPENVAS:870904", "OPENVAS:870905", "OPENVAS:870906", "OPENVAS:870916", "OPENVAS:870924", "OPENVAS:870926", "OPENVAS:870944", "OPENVAS:871009", "OPENVAS:871010", "OPENVAS:871015", "OPENVAS:881595", "OPENVAS:881596", "OPENVAS:881597", "OPENVAS:881598", "OPENVAS:881602", "OPENVAS:881606", "OPENVAS:881610", "OPENVAS:881611", "OPENVAS:881620", "OPENVAS:881669", "OPENVAS:881751", "OPENVAS:881752", "OPENVAS:881761", "OPENVAS:881762", "OPENVAS:892621", "OPENVAS:892622", "OPENVAS:892722", "OPENVAS:892727"]}, {"type": "oracle", "idList": ["ORACLE:CPUJULY2013-1899826", "ORACLE:CPUOCT2013-1899837"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-0245", "ELSA-2013-0246", "ELSA-2013-0247", "ELSA-2013-0273", "ELSA-2013-0274", "ELSA-2013-0275", "ELSA-2013-0587", "ELSA-2013-0957", "ELSA-2013-0958", "ELSA-2013-1014", "ELSA-2015-3022", "ELSA-2016-3621", "ELSA-2019-4747", "ELSA-2021-9150"]}, {"type": "osv", "idList": ["OSV:CVE-2016-2107", "OSV:DLA-1518-1", "OSV:DSA-2621-1", "OSV:DSA-2622-1", "OSV:DSA-2722-1", "OSV:DSA-2727-1", "OSV:GHSA-8353-FGCR-XFHX"]}, {"type": "redhat", "idList": ["RHSA-2013:0236", "RHSA-2013:0237", "RHSA-2013:0245", "RHSA-2013:0246", "RHSA-2013:0247", "RHSA-2013:0273", "RHSA-2013:0274", "RHSA-2013:0275", "RHSA-2013:0531", "RHSA-2013:0532", "RHSA-2013:0587", "RHSA-2013:0624", "RHSA-2013:0625", "RHSA-2013:0626", "RHSA-2013:0636", "RHSA-2013:0783", "RHSA-2013:0822", "RHSA-2013:0823", "RHSA-2013:0833", "RHSA-2013:0855", "RHSA-2013:0957", "RHSA-2013:0958", "RHSA-2013:0963", "RHSA-2013:1014", "RHSA-2013:1059", "RHSA-2013:1060", "RHSA-2013:1081", "RHSA-2013:1455", "RHSA-2013:1456", "RHSA-2014:0414", "RHSA-2014:0416", "RHSA-2020:4298"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29026", "SECURITYVULNS:DOC:29043", "SECURITYVULNS:DOC:29601", "SECURITYVULNS:DOC:29602", "SECURITYVULNS:DOC:29603", "SECURITYVULNS:DOC:29893", "SECURITYVULNS:DOC:30449", "SECURITYVULNS:VULN:12873", "SECURITYVULNS:VULN:12887", "SECURITYVULNS:VULN:13165", "SECURITYVULNS:VULN:13186", "SECURITYVULNS:VULN:13663"]}, {"type": "seebug", "idList": ["SSV:61917", "SSV:61918", "SSV:61919"]}, {"type": "slackware", "idList": ["SSA-2013-040-01", "SSA-2013-042-01"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2013:0375-1", "OPENSUSE-SU-2013:0377-1", "OPENSUSE-SU-2013:0378-1", "OPENSUSE-SU-2016:0640-1", "SUSE-SU-2013:0315-1", "SUSE-SU-2013:0328-1", "SUSE-SU-2013:0440-1", "SUSE-SU-2013:0440-2", "SUSE-SU-2013:0440-3", "SUSE-SU-2013:0440-4", "SUSE-SU-2013:0440-5", "SUSE-SU-2013:0440-6", "SUSE-SU-2013:0456-1", "SUSE-SU-2013:0456-2", "SUSE-SU-2013:0456-3", "SUSE-SU-2013:0456-4", "SUSE-SU-2013:0478-1", "SUSE-SU-2013:0701-1", "SUSE-SU-2013:0701-2", "SUSE-SU-2013:1238-1", "SUSE-SU-2013:1254-1", "SUSE-SU-2013:1255-1", "SUSE-SU-2013:1255-2", "SUSE-SU-2013:1255-3", "SUSE-SU-2013:1256-1", "SUSE-SU-2013:1257-1", "SUSE-SU-2013:1263-1", "SUSE-SU-2013:1263-2", "SUSE-SU-2013:1264-1", "SUSE-SU-2013:1293-1", "SUSE-SU-2013:1293-2", "SUSE-SU-2013:1305-1", "SUSE-SU-2014:0320-1", "SUSE-SU-2015:0578-1"]}, {"type": "symantec", "idList": ["SMNTC-1363"]}, {"type": "ubuntu", "idList": ["USN-1724-1", "USN-1732-1", "USN-1732-2", "USN-1732-3", "USN-1735-1", "USN-1907-1", "USN-1907-2", "USN-1908-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2012-2686", "UB:CVE-2013-0169", "UB:CVE-2013-1478", "UB:CVE-2013-1480", "UB:CVE-2013-1619", "UB:CVE-2013-1620", "UB:CVE-2013-1621", "UB:CVE-2013-1623", "UB:CVE-2013-1624", "UB:CVE-2013-2116", "UB:CVE-2013-2407", "UB:CVE-2013-2450", "UB:CVE-2016-2107", "UB:CVE-2018-0497"]}, {"type": "veracode", "idList": ["VERACODE:10846", "VERACODE:14172", "VERACODE:14182", "VERACODE:14328", "VERACODE:14329", "VERACODE:14336", "VERACODE:14345", "VERACODE:14347", "VERACODE:14348", "VERACODE:14354", "VERACODE:14355", "VERACODE:14356", "VERACODE:14357", "VERACODE:14497", "VERACODE:14498", "VERACODE:3347", "VERACODE:3568"]}, {"type": "vmware", "idList": ["VMSA-2013-0009", "VMSA-2013-0009.3"]}, {"type": "zdi", "idList": ["ZDI-13-022"]}]}, "score": {"value": 0.6, "vector": "NONE"}, "epss": [{"cve": "CVE-2013-0169", "epss": 0.00536, "percentile": 0.7378, "modified": "2023-05-01"}, {"cve": "CVE-2013-1478", "epss": 0.09329, "percentile": 0.93749, "modified": "2023-05-01"}, {"cve": "CVE-2013-1480", "epss": 0.05425, "percentile": 0.9196, "modified": "2023-05-01"}, {"cve": "CVE-2013-2407", "epss": 0.03851, "percentile": 0.90559, "modified": "2023-05-01"}, {"cve": "CVE-2013-2450", "epss": 0.05469, "percentile": 0.91997, "modified": "2023-05-01"}, {"cve": "CVE-2013-5443", "epss": 0.00094, "percentile": 0.38488, "modified": "2023-05-02"}, {"cve": "CVE-2013-5444", "epss": 0.00204, "percentile": 0.56877, "modified": "2023-05-02"}, {"cve": "CVE-2013-5445", "epss": 0.00127, "percentile": 0.45951, "modified": "2023-05-02"}], "vulnersScore": 0.6}, "_state": {"affected_software_major_version": 0, "dependencies": 1687586304, "score": 1687585988, "epss": 0}, "_internal": {"score_hash": "d185fc2d416343dfeb000bc4c5f380f8"}, "affectedSoftware": [{"version": "9.0", "operator": "eq", "name": "ibm planning analytics express"}, {"version": "9.5", "operator": "eq", "name": "ibm planning analytics express"}, {"version": "10.1", "operator": "eq", "name": "ibm planning analytics express"}, {"version": "10.2.1", "operator": "eq", "name": "ibm planning analytics express"}]}
{"securityvulns": [{"lastseen": "2018-08-31T11:10:47", "description": "\r\n\r\nHello All,\r\n\r\nBelow, we are providing you with technical details regarding\r\nsecurity issues reported by us to Oracle and addressed by the\r\ncompany in a recent Feb 2013 Java SE CPU [1].\r\n\r\n[Issue 29]\r\nThis issue allows for the creation of arbitrary Proxy objects\r\nfor interfaces defined in restricted packages. Proxy objects\r\ndefined in a NULL class loader namespaces are of a particular\r\ninterest here. Such objects can be used to manipulate instances\r\nof certain restricted classes.\r\n\r\nIn our Proof of Concept code we create such a proxy object for\r\nthe com.sun.xml.internal.bind.v2.model.nav.Navigator interface.\r\nIn order to use the aforementioned proxy object, we need an\r\ninstance of that interface too. We obtain it with the help of\r\nIssue 28, which allows to access arbitrary field objects from\r\nrestricted classes and interfaces. As a result, by combining\r\nIssue 27-29, one can use Navigator interface and make use of\r\nits sensitive Reflection API functionality such as obtaining\r\naccess to methods of arbitrary classes. That condition can be\r\nfurther leveraged to obtain a complete JVM security bypass.\r\n\r\nPlease, note that our Proof of Concept code for Issues 27-29\r\nwas reported to Oracle in Apr 2012 and depending Issues 27-28\r\nwere addressed by the company sooner than Issue 29. Testing\r\nof the PoC will thus give best results on older versions of\r\nJava SE 7.\r\n\r\n[Issue 50]\r\nIssue 50 allows to violate a fundamental security constraint\r\nof Java VM, which is type safety. This vulnerability is another\r\ninstance of the problem related to the unsafe deserialization\r\nimplemented by com.sun.corba.se.impl.io.ObjectStreamClass class.\r\nIts first instance was fixed by Oracle in Oct 2011 [2] and it\r\nstemmed from the fact that during deserialization insufficient\r\ntype checks were done with respect to object references that\r\nwere written to target object instance created by the means of\r\ndeserialization. Such a reference writing was accomplished with\r\nthe use of a native functionality of sun.corba.Bridge class.\r\n\r\nThe problem that we found back in Sep 2012 was very similar to\r\nthe first one. It was located in the same code (class) and was\r\nalso exploiting direct writing of object references to memory\r\nwith the use of putObject method. While the first type confusion\r\nissue allowed to write object references of incompatible types\r\nto correct field offsets, Issue 50 relied on the possibility to\r\nwrite object references of incompatible types to...invalid field\r\noffsets.\r\n\r\nIt might be also worth to mention that Issue 50 was found to\r\nbe present in Java SE Embedded [3]. That is Java version that\r\nis based on desktop Java SE and is used in today\u2019s most powerful\r\nembedded systems such as aircraft and medical systems [4]. We\r\nverified that Oracle Java SE Embedded ver. 7 Update 6 from 10\r\nAug 2012 for ARM / Linux contained vulnerable implementation\r\nof ObjectStreamClass class.\r\n\r\nUnfortunately, we don't know any details regarding the impact\r\nof Issue 50 in the embedded space (which embedded systems are\r\nvulnerable to it, whether any feasible attack vectors exist,\r\netc.). So, it's up to Oracle to clarify any potential concerns\r\nin that area.\r\n\r\n[Issue 52]\r\nIssue 52 relies on the possibility to call no-argument methods\r\non arbitrary objects or classes. The vulnerability has its origin\r\nin com.sun.jmx.mbeanserver.Introspector class which is located\r\nin the same package as the infamous MBeanInstantiator bug found\r\nin the wild in early Jan 2013. The flaw stems from insecure call\r\nto invoke method of java.lang.reflect.Method class:\r\n\r\n if (method != null)\r\n return method.invoke(obj, new Object[0]);\r\n\r\nIn our Proof of Concept code we exploit the above implementation\r\nby making a call to getDeclaredMethods method of java.lang.Class\r\nclass to gain access to methods of restricted classes. This is\r\naccomplished with the use of the following code sequence:\r\n\r\nIntrospector.elementFromComplex((Object)clazz,"declaredMethods")\r\n\r\nAccess to public method objects of arbitrary restricted classes\r\nis sufficient to achieve a complete Java VM security sandbox\r\ncompromise. We make use of DefiningClassLoader exploit vector\r\nfor that purpose.\r\n\r\n[Issue 53]\r\nIssue 53 stems from the fact that Oracle's implementation of new\r\nsecurity levels introduced by the company in Java SE 7 Update 10\r\ndid not take into account the fact that Applets can be instantiated\r\nwith the use of serialization. Such a possibility is indicated both\r\nin HTML 4 Specification [5] as well as in Oracle's code.\r\n\r\nHTML 4 Specification contains the following description for the\r\n"object" attribute of APPLET element:\r\n\r\nobject = cdata [CS]\r\n This attribute names a resource containing a serialized\r\n representation of an applet's state. It is interpreted\r\n relative to the applet's codebase. The serialized data\r\n contains the applet's class name but not the implementation.\r\n The class name is used to retrieve the implementation from\r\n a class file or archive.\r\n\r\nAdditionally, Java 7 Update 10 (and 11) reveal the following code\r\nlogic when it comes to the implementation of new security features\r\n(Java Control Panel security levels).\r\n\r\n[excerpt from sun.plugin2.applet.Plugin2Manager class]\r\n\r\n String object_attr = getSerializedObject();\r\n String code_attr = getCode();\r\n ...\r\n\r\n if(code_attr != null) {\r\n Class class1 = plugin2classloader.loadCode(code_attr);\r\n ...\r\n if(class1 != null)\r\n\r\n if (fireAppletSSVValidation())\r\n ...\r\n } else {\r\n if(!isSecureVM)\r\n return;\r\n\r\nadapter.instantiateSerialApplet(plugin2classloader,object_attr);\r\n ...\r\n }\r\n\r\nThe above clearly shows that the conditional block implementing\r\nApplet instantiation via deserialization does not contain a call\r\nto fireAppletSSVValidation method. This method conducts important\r\nsecurity checks corresponding to security levels configured by\r\nJava Control Panel. The lack of a call to security checking method\r\nis equivalent to "no protection at all" as it allows for a silent\r\nJava exploit in particular.\r\n\r\nWhat's worth mentioning is that for Google Chrome the following\r\nHTML sequence needed to be used to activate target Applet code:\r\n\r\n<object type="application/x-java-applet" object="BlackBox.ser">\r\n\r\n---\r\n\r\nWe have made our original reports sent to Oracle and describing\r\nIssues 29, 50, 52 and 53 available for download from our project\r\ndetails page:\r\n\r\nhttp://www.security-explorations.com/en/SE-2012-01-details.html\r\n\r\nAlong with those reports we have also published the results of\r\nour quick Vulnerability Fix Experiment regarding Issue 50. We've\r\nnever heard a word from Oracle regarding it. Company's fix for\r\nIssue 50 is not a mirror of the one we had proposed, but it does\r\nrely on Class object instances for hashtable access / caching of\r\ntranslated ObjectStreamClass fields.\r\n\r\nAt the end, we would like to question Oracle's evaluation of the\r\nimpact of Java vulnerabilities fixed by the Feb 2013 Java SE CPU.\r\nOracle emphasized that patched vulnerabilities affect primarily\r\nJava Plugin / desktop environments and that only 3 of them apply\r\nto client and server deployments of Java. The 3 vulnerabilities\r\nOracle refers to are specifically the following ones:\r\n\r\nCVE-2013-0437 Subcomponent 2D\r\nCVE-2013-1478 Subcomponent 2D\r\nCVE-2013-1480 Subcomponent AWT\r\n\r\nNone of the vulnerabilities above seem to refer to the components\r\nwhere our discoveries were made (i.e. CORBA, JMX / BEANS).\r\n\r\nThe tests we have conducted yesterday against the latest version\r\nof Oracle GlassFish Server 3.1.2.2 (with security manager enabled)\r\nand RMI Registry from JDK 7 Update 11 confirmed the possibility to\r\nlaunch an attack against remote RMI server with the use of a Java\r\nSE vulnerability. We tested Issues patched by the recent CPU such\r\nas the MBeanInstantiator bug, Issue 50 and 52 and were able to:\r\n1) remotely load custom classes into the target Java RMI server\r\n (over RMI protocol),\r\n2) completely break Java security sandbox with the use of a Java\r\n SE vulnerability (the one which "can be exploited only through\r\n untrusted Java Web Start applications / untrusted Java applets"\r\n according to Oracle's CPU).\r\n\r\nAlthough Oracle is aware [6] that Java SE vulnerabilities can be\r\nalso exploited "in servers, by supplying malicious input to APIs\r\nin the vulnerable server component", the company rather undermines\r\nsuch a possibility by delivering a message that a majority of the\r\nvulnerabilities affect Java Plugin in the web browser or that in\r\nsome cases, the exploitation scenario of Java SE bugs on servers\r\nis very improbable.\r\n\r\nIn general, relying on a vulnerable Java SE version makes all of\r\nthe products depending on it potentially vulnerable unless there\r\nis absolutely *no way* that a vulnerable component can be reached\r\nby an attacker. As long as an attack vector through RMI protocol\r\nis valid, a potential for remote exploitation of security issues\r\nin Java SE on servers should be always concerned.\r\n\r\nThank You.\r\n\r\nBest Regards,\r\nAdam Gowdiak\r\n\r\n---------------------------------------------\r\nSecurity Explorations\r\nhttp://www.security-explorations.com\r\n"We bring security research to the new level"\r\n---------------------------------------------\r\n\r\nReferences:\r\n[1] Oracle Java SE Critical Patch Update Advisory - February 2013\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html\r\n[2] Oracle Java IIOP Deserialization Type Confusion Remote Code Execution Vulnerability\r\n http://www.zerodayinitiative.com/advisories/ZDI-11-306/\r\n[3] Oracle Java SE Embedded\r\n\r\nhttp://www.oracle.com/us/technologies/java/embedded/standard-edition/overview/index.html\r\n[4] Oracle making embedded Java push\r\n\r\nhttp://www.infoworld.com/d/application-development/oracle-making-embedded-java-push-203168\r\n[5] HTML 4 Specification, Including an applet: the APPLET element\r\n http://www.w3.org/TR/html401/struct/objects.html#h-13.4\r\n[6] February 2013 Critical Patch Update for Java SE Released\r\n\r\nhttps://blogs.oracle.com/security/entry/february_2013_critical_patch_update\r\n", "cvss3": {}, "published": "2013-02-11T00:00:00", "type": "securityvulns", "title": "[SE-2012-01] Details of issues fixed by Feb 2013 Java SE CPU", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2013-1478", "CVE-2013-1480", "CVE-2013-0437"], "modified": "2013-02-11T00:00:00", "id": "SECURITYVULNS:DOC:29026", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29026", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:48", "description": "\r\n\r\n\r\n\r\nESA-2013-032.txt\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nESA-2013-032: RSA BSAFE\u00ae Micro Edition Suite Security Update for SSL/TLS Plaintext Recovery (aka \u201cLucky Thirteen\u201d) Vulnerability\r\n\r\n\r\nEMC Identifier: ESA-2013-032\r\n\r\n\r\nCVE Identifier: CVE-2013-0169\r\n\r\n\r\nSeverity Rating: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)\r\n\r\n \r\n\r\nAffected Products:\r\n\r\nAll versions of RSA BSAFE Micro Edition Suite except for 4.0.3 and 3.2.5\r\n\r\n \r\n\r\nUnaffected Products:\r\n\r\nRSA BSAFE Micro Edition Suite 4.0.3 and 3.2.5 (newly released)\r\n\r\n \r\n\r\nSummary: \r\n\r\nRSA BSAFE Micro Edition Suite 4.0.3 and 3.2.5 contain updates designed to prevent SSL/TLS Plaintext Recovery (aka Lucky Thirteen) attacks (CVE-2013-0169).\r\n\r\n \r\n\r\nDetails: \r\n\r\nResearchers have discovered a weakness in the handling of CBC cipher suites in SSL, TLS and DTLS. The \u201cLucky Thirteen\u201d attack exploits timing differences arising during MAC processing. Vulnerable implementations do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.\r\n\r\n \r\nDetails of this attack can be found at: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf\r\n \r\n\r\n\r\nRecommendation:\r\n \r\n\r\nRSA BSAFE Micro Edition Suite 4.0.3 and 3.2.5 contain a patch that is designed to help ensure that MAC checking is time invariant in servers. \r\n\r\n \r\n\r\nRSA recommends that customers on RSA BSAFE Micro Edition Suite 3.2.x or lower upgrade to RSA BSAFE Micro Edition Suite 3.2.5. RSA recommends that customers on RSA BSAFE Micro Edition Suite 4.0.x upgrade to RSA BSAFE Micro Edition Suite 4.0.3. \r\n\r\nCustomers can also protect against the attack by disabling CBC mode cipher suites on clients and servers. Cipher suites that use RC4 and, if TLS 1.2 is available, AES-GCM can be used. \r\n\r\n\r\n\r\nObtaining Downloads\r\n\r\nTo request your upgrade of the software, please call your local support telephone number (contact phone numbers are available at http://www.rsa.com/node.aspx?id=1356 ) for most expedient service. You may also request your software upgrade online at http://www.rsa.com/go/form_ins.asp .\r\n\r\n\r\n\r\nObtaining Documentation:\r\n\r\nTo obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link.\r\n\r\n\r\n\r\nSeverity Rating:\r\n\r\nFor an explanation of Severity Ratings, refer to the Knowledge Base Article, \u201cSecurity Advisories Severity Rating\u201d at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.\r\n\r\n\r\n\r\nObtaining More Information:\r\n\r\nFor more information about RSA products, visit the RSA web site at http://www.rsa.com.\r\n\r\n\r\n\r\nGetting Support and Service:\r\n\r\nFor customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab.\r\n\r\n\r\n\r\nGeneral Customer Support Information:\r\n\r\nhttp://www.rsa.com/node.aspx?id=1264\r\n\r\n\r\n\r\nRSA SecurCare Online:\r\n\r\nhttps://knowledge.rsasecurity.com\r\n\r\n\r\n\r\nEOPS Policy:\r\n\r\nRSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. \r\nhttp://www.rsa.com/node.aspx?id=2575 \r\n\r\n\r\n\r\nSecurCare Online Security Advisories\r\n\r\nRSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\n\r\n\r\nAbout RSA SecurCare Notes & Security Advisories Subscription\r\n\r\nRSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If you\u2019d like to stop receiving RSA SecurCare Notes & Security Advisories, or if you\u2019d like to change which RSA product family Notes & Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes & Security Advisories you no longer want to receive. Click the Submit button to save your selection.\r\n\r\n\r\n\r\nSincerely,\r\n\r\nRSA Customer Support\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Cygwin)\r\n\r\niEYEARECAAYFAlHBw08ACgkQtjd2rKp+ALyHQACggG2us3gMSQQX4Ol0+Zxrqjvi\r\nQAsAoLKL5rrl9BDb54SQ0i7K57mGy9S/\r\n=JcQv\r\n-----END PGP SIGNATURE-----\r\n", "cvss3": {}, "published": "2013-07-15T00:00:00", "type": "securityvulns", "title": "ESA-2013-032 RSA BSAFE\u00ae Micro Edition Suite Security Update for SSL/TLS Plaintext Recovery (aka \u201cLucky Thirteen\u201d) Vulnerability", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2013-0169"], "modified": "2013-07-15T00:00:00", "id": "SECURITYVULNS:DOC:29601", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29601", "sourceData": "", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:48", "description": "\r\n\r\n\r\n\r\nESA-2013-045.txt\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nESA-2013-045: RSA BSAFE\u00ae SSL-C Security Update for SSL/TLS Plaintext Recovery (aka \u201cLucky Thirteen\u201d) Vulnerability\r\n\r\n\r\nEMC Identifier: ESA-2013-045\r\n\r\n\r\nCVE Identifier: CVE-2013-0169\r\n\r\n\r\nSeverity Rating: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)\r\n\r\n \r\n\r\nAffected Products:\r\n\r\nAll versions of RSA BSAFE SSL-C except for 2.8.7\r\n\r\n \r\n\r\nUnaffected Products:\r\n\r\nRSA BSAFE SSL-C 2.8.7 (newly released)\r\n\r\n\r\nSummary: \r\n\r\nRSA BSAFE SSL-C 2.8.7 contains updates designed to prevent SSL/TLS Plaintext Recovery (aka Lucky Thirteen) attacks (CVE-2013-0169).\r\n\r\n \r\n\r\nDetails: \r\n\r\nResearchers have discovered a weakness in the handling of CBC cipher suites in SSL, TLS and DTLS. The \u201cLucky Thirteen\u201d attack exploits timing differences arising during MAC processing. Vulnerable implementations do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.\r\n \r\n\r\nDetails of this attack can be found at: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf\r\n \r\n\r\n\r\nRecommendation:\r\n\r\nRSA BSAFE SSL-C 2.8.7 contains a patch that is designed to help ensure that MAC checking is time invariant in servers. \r\n\r\n \r\nRSA recommends that customers on RSA BSAFE SSL-C 2.8.6 or lower upgrade to RSA BSAFE SSL-C 2.8.7. \r\n \r\n\r\nCustomers can also protect against the attack by disabling CBC mode cipher suites on clients and servers. Cipher suites that use RC4 and, if TLS 1.2 is available, AES-GCM can be used.\r\n\r\n\r\n\r\nObtaining Downloads\r\n\r\nTo request your upgrade of the software, please call your local support telephone number (contact phone numbers are available at http://www.rsa.com/node.aspx?id=1356 ) for most expedient service. You may also request your software upgrade online at http://www.rsa.com/go/form_ins.asp .\r\n\r\n\r\n\r\n\r\nObtaining Documentation:\r\n\r\nTo obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link.\r\n\r\n\r\n\r\n\r\nSeverity Rating:\r\n\r\nFor an explanation of Severity Ratings, refer to the Knowledge Base Article, \u201cSecurity Advisories Severity Rating\u201d at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.\r\n\r\n\r\n\r\n\r\nObtaining More Information:\r\n\r\nFor more information about RSA products, visit the RSA web site at http://www.rsa.com.\r\n\r\n\r\n\r\nGetting Support and Service:\r\n\r\nFor customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab.\r\n\r\n\r\n\r\nGeneral Customer Support Information:\r\n\r\nhttp://www.rsa.com/node.aspx?id=1264\r\n\r\n\r\n\r\nRSA SecurCare Online:\r\n\r\nhttps://knowledge.rsasecurity.com\r\n\r\n\r\n\r\nEOPS Policy:\r\n\r\nRSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. \r\nhttp://www.rsa.com/node.aspx?id=2575 \r\n\r\n\r\n\r\nSecurCare Online Security Advisories\r\n\r\nRSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\n\r\n\r\nAbout RSA SecurCare Notes & Security Advisories Subscription\r\n\r\nRSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If you\u2019d like to stop receiving RSA SecurCare Notes & Security Advisories, or if you\u2019d like to change which RSA product family Notes & Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes & Security Advisories you no longer want to receive. Click the Submit button to save your selection.\r\n\r\n\r\n\r\nSincerely,\r\n\r\nRSA Customer Support\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Cygwin)\r\n\r\niEYEARECAAYFAlHBwwAACgkQtjd2rKp+ALzA8QCeKc//gfYNJwz8q+g7GtInPEgS\r\ngIcAoI2ry3F2QWCjVbEC7w7Ll2jed3mo\r\n=cTJ7\r\n-----END PGP SIGNATURE-----\r\n", "cvss3": {}, "published": "2013-07-15T00:00:00", "type": "securityvulns", "title": "ESA-2013-045: RSA BSAFE\u00ae SSL-C Security Update for SSL/TLS Plaintext Recovery (aka \u201cLucky Thirteen\u201d) Vulnerability", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2013-0169"], "modified": "2013-07-15T00:00:00", "id": "SECURITYVULNS:DOC:29603", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29603", "sourceData": "", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:48", "description": "\r\n\r\n\r\n\r\nESA-2013-039.txt\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nESA-2013-039: RSA BSAFE\u00ae SSL-J Multiple Vulnerabilities\r\n\r\n\r\nEMC Identifier: ESA-2013-039\r\n\r\n\r\nCVE Identifier: CVE-2011-3389, CVE-2013-0169\r\n\r\n\r\nSeverity Rating: CVSS v2 Base Score: Refer NVD (http://nvd.nist.gov/) for individual scores for each CVE\r\n\r\n \r\n\r\nAffected Products:\r\n\r\nAll versions of RSA BSAFE SSL-J except for 6.0.1 and 5.1.2\r\n\r\n \r\n\r\nUnaffected Products:\r\n\r\nRSA BSAFE SSL-J 6.0.1 and 5.1.2 (newly released)\r\n\r\n \r\n\r\nSummary: \r\n\r\nRSA BSAFE SSL-J 6.0.1 and 5.1.2 contain updates designed to prevent BEAST attacks (CVE-2011-3389) and SSL/TLS Plaintext Recovery (aka Lucky Thirteen) attacks (CVE-2013-0169).\r\n\r\n \r\n\r\nDetails: \r\n\r\nBEAST\r\n\r\nThere is a known vulnerability in SSLv3 and TLS v1.0 to do with how the Initialization Vector (IV) is generated. For symmetric key algorithms in CBC mode, the IV for the first record is generated using keys and secrets set during the SSL or TLS handshake. All subsequent records are encrypted using the ciphertext block from the previous record as the IV. With symmetric key encryption in CBC mode, plain text encrypted with the same IV and key generates the same cipher text, which is why having a variable IV is important.\r\n\r\nThe BEAST exploit uses this SSLv3 and TLS v1.0 vulnerability by allowing an attacker to observe the last ciphertext block, which is the IV, then replace this with an IV of their choice, inject some of their own plain text data, and when this new IV is used to encrypt the data, the attacker can guess the plain text data one byte at a time.\r\n\r\n\r\nLucky Thirteen\r\n\r\nResearchers have discovered a weakness in the handling of CBC cipher suites in SSL, TLS and DTLS. The \u201cLucky Thirteen\u201d attack exploits timing differences arising during MAC processing. Vulnerable implementations do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.\r\n\r\n \r\n\r\nDetails of this attack can be found at: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf\r\n \r\n\r\n\r\nRecommendation:\r\n\r\n \r\n\r\nRSA recommends that customers on RSA BSAFE SSL-J 5.1.x or lower upgrade to RSA BSAFE SSL-J 5.1.2. RSA recommends that customers on RSA BSAFE SSL-J 6.0 upgrade to RSA BSAFE SSL-J 6.0.1. \r\n\r\nTo address BEAST, RSA introduce a new feature called first block splitting to RSA BSAFE SSL-J 6.0.1 and 5.1.2. First block splitting is designed to prevent the BEAST exploit by introducing unknown data into the encryption scheme prior to the attackers inserted plain text data. This is done as follows: \r\n\r\n\u20221. The first plain text block to be encrypted is split into two blocks. The first block contains the first byte of the data, the second block contains the rest.\r\n\u20222. A MAC is generated from the one byte of data, the MAC key, and an increasing counter. This MAC is included in the first block.\r\n\u20223. The one byte of data, along with the MAC, is encrypted and becomes the IV for the next block. Because the IV is now essentially random data, it is impossible for an attacker to predict it and replace it with one of their own.\r\nFor RSA BSAFE SSL-J 6.0.1 and 5.1.2, first block splitting is engineered to be enabled by default for vulnerable cipher suites, making the application secure by default. If required, the application can disable first block splitting by setting the system property jsse.enableCBCProtection:\r\n\r\n \r\n\r\n\u2022 Using the following Java code:\r\n\r\n System.setProperty("jsse.enableCBCProtection", "false");\r\n\r\n \r\n\r\n OR\r\n\r\n \r\n\r\n\u2022 On the Java command line, passing the following argument:\r\n\r\n -Djsse.enableCBCProtection=\u201dfalse\u201d\r\n\r\n \r\n\r\nFor more information about setting security properties, see section System and Security Properties in the RSA BSAFE SSL-J Developer Guide.\r\n\r\nThe best way to help prevent the BEAST attack is to use TLS v1.1 or higher. The vulnerability to do with IV generation was fixed in TLS v1.1 (released in 2006) so implementations using only TLS v1.1 or v1.2 are engineered to be secure against the BEAST exploit. However, support for these higher level protocols is limited to a smaller number of applications, so supporting only TLS v1.1 or v1.2 might cause interoperability issues.\r\n\r\nA second solution is to limit the negotiated cipher suites to exclude those that do not require symmetric key algorithms in CBC mode. However, this substantially restricts the number of cipher suites that can be negotiated. That is, only cipher suites with NULL encryption or cipher suites with streaming encryption algorithms (the RC4 algorithm) could be negotiated, which might result in reduced security.\r\n\r\nTo address Lucky Thirteen, RSA BSAFE SSL-J 6.0.1 and 5.1.2 contain a patch that is designed to help ensure that MAC checking is time invariant in servers. \r\n\r\nCustomers can also protect against the Lucky Thirteen attack by disabling CBC mode cipher suites on clients and servers. Cipher suites that use RC4 and, if TLS 1.2 is available, AES-GCM can be used.\r\n\r\n\r\n\r\nObtaining Downloads:\r\n\r\nTo request your upgrade of the software, please call your local support telephone number (contact phone numbers are available at http://www.rsa.com/node.aspx?id=1356 ) for most expedient service. You may also request your software upgrade online at http://www.rsa.com/go/form_ins.asp .\r\n\r\n\r\n\r\nObtaining Documentation:\r\n\r\nTo obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link.\r\n\r\n\r\n\r\nSeverity Rating:\r\n\r\nFor an explanation of Severity Ratings, refer to the Knowledge Base Article, \u201cSecurity Advisories Severity Rating\u201d at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.\r\n\r\n\r\n\r\nObtaining More Information:\r\n\r\nFor more information about RSA products, visit the RSA web site at http://www.rsa.com.\r\n\r\n\r\n\r\nGetting Support and Service:\r\n\r\nFor customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab.\r\n\r\n\r\n\r\nGeneral Customer Support Information:\r\n\r\nhttp://www.rsa.com/node.aspx?id=1264\r\n\r\n\r\n\r\nRSA SecurCare Online:\r\n\r\nhttps://knowledge.rsasecurity.com\r\n\r\n\r\n\r\nEOPS Policy:\r\n\r\nRSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. \r\nhttp://www.rsa.com/node.aspx?id=2575 \r\n\r\n\r\n\r\nSecurCare Online Security Advisories\r\n\r\nRSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\n\r\n\r\nAbout RSA SecurCare Notes & Security Advisories Subscription\r\n\r\nRSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If you\u2019d like to stop receiving RSA SecurCare Notes & Security Advisories, or if you\u2019d like to change which RSA product family Notes & Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes & Security Advisories you no longer want to receive. Click the Submit button to save your selection.\r\n\r\n\r\n\r\nSincerely,\r\n\r\nRSA Customer Support\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Cygwin)\r\n\r\niEYEARECAAYFAlHBwyMACgkQtjd2rKp+ALwI0gCbBNOxiDjCZzTl293lMa53Yy2r\r\npcsAn2UpV1x8Zg4031kyOrW5LfV2vner\r\n=W+qW\r\n-----END PGP SIGNATURE-----\r\n", "cvss3": {}, "published": "2013-07-15T00:00:00", "type": "securityvulns", "title": "ESA-2013-039: RSA BSAFE\u00ae SSL-J Multiple Vulnerabilities", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2011-3389"], "modified": "2013-07-15T00:00:00", "id": "SECURITYVULNS:DOC:29602", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29602", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2021-06-08T19:10:46", "description": "SSL-related attacks.", "cvss3": {}, "published": "2013-07-15T00:00:00", "type": "securityvulns", "title": "EMC RSA BSAFE multiple security vulnerabilities", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2011-3389"], "modified": "2013-07-15T00:00:00", "id": "SECURITYVULNS:VULN:13186", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13186", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:51", "description": "\r\n\r\n\r\n\r\nESA-2013-039.txt\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nESA-2013-039: RSA BSAFE\u00ae SSL-J Multiple Vulnerabilities\r\n\r\n\r\nEMC Identifier: ESA-2013-039\r\n\r\n \r\n\r\nCVE Identifier: CVE-2011-3389, CVE-2013-0169\r\n\r\n \r\n\r\nSeverity Rating: CVSS v2 Base Score: Refer NVD (http://nvd.nist.gov/) for individual scores for each CVE\r\n\r\n \r\n\r\nAffected Products:\r\n\r\nFor the BEAST vulnerability, all versions of RSA BSAFE SSL-J except for 6.1.2 and 5.1.4 are affected.\r\n\r\nFor the Lucky Thirteen vulnerability, all versions of RSA BSAFE SSL-J except for 6.0.1, 6.1.2, 5.1.2, 5.1.3 and 5.1.4 are affected.\r\n\r\n \r\n\r\nUnaffected Products:\r\n\r\nRSA BSAFE SSL-J 6.1.2 and 5.1.4 (newly released)\r\n\r\n \r\n\r\nSummary: \r\n\r\nRSA BSAFE SSL-J 6.1.2 and 5.1.4 contain updates designed to help prevent the BEAST vulnerability (CVE-2011-3389). RSA BSAFE SSL-J 6.0.1 and 5.1.2 contain updates designed to help prevent the SSL/TLS Plaintext Recovery (aka Lucky Thirteen) vulnerability (CVE-2013-0169).\r\n\r\n \r\n\r\nDetails: \r\n\r\nBEAST\r\n\r\nThere is a known vulnerability in SSLv3 and TLS v1.0 to do with how the Initialization Vector (IV) is generated. For symmetric key algorithms in CBC mode, the IV for the first record is generated using keys and secrets set during the SSL or TLS handshake. All subsequent records are encrypted using the ciphertext block from the previous record as the IV. With symmetric key encryption in CBC mode, plain text encrypted with the same IV and key generates the same cipher text, which is why having a variable IV is important.\r\n\r\nThe BEAST exploit uses this SSLv3 and TLS v1.0 vulnerability by allowing an attacker to observe the last ciphertext block, which is the IV, then replace this with an IV of their choice, inject some of their own plain text data, and when this new IV is used to encrypt the data, the attacker can guess the plain text data one byte at a time.\r\n\r\n \r\n\r\nLucky Thirteen\r\n\r\nResearchers have discovered a weakness in the handling of CBC cipher suites in SSL, TLS and DTLS. The \u201cLucky Thirteen\u201d attack exploits timing differences arising during MAC processing. Vulnerable implementations do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.\r\n\r\n \r\n\r\nDetails of this attack can be found at: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf\r\n\r\n \r\n\r\nRecommendation:\r\n\r\n \r\n\r\nFor the BEAST vulnerability:\r\n\r\nThe best way to help prevent the BEAST attack is to use TLS v1.1 or higher. The vulnerability to do with IV generation was fixed in TLS v1.1 (released in 2006) so implementations using only TLS v1.1 or v1.2 are engineered to be secure against the BEAST exploit. However, support for these higher level protocols is limited to a smaller number of applications, so supporting only TLS v1.1 or v1.2 might cause interoperability issues.\r\n\r\nA second solution is to limit the negotiated cipher suites to exclude those that do not require symmetric key algorithms in CBC mode. However, this substantially restricts the number of cipher suites that can be negotiated. That is, only cipher suites with NULL encryption or cipher suites with streaming encryption algorithms (the RC4 algorithm) could be negotiated, which might result in reduced security.\r\n\r\n \r\n\r\nFirst block splitting for SSLv3 or TLS v1.0 communications, as a prevention against the BEAST exploit, introduced in SSL-J 6.0.1 and SSL-J 5.1.2 is not working.\r\n\r\n \r\n\r\nIn SSL-J 6.1.2 and 5.1.4, the way to prevent the BEAST exploit is to introduce some unknown data into the encryption scheme, prior to the attackers inserted plain text data. This is done as follows:\r\n\r\n \r\n\r\n1. The first plaintext write will result in one or more encrypted records as usual.\r\n\r\n2. The second and subsequent writes are \u201csplit\u201d. That is, each write will generate two or more records such that the first encrypted record contains only one byte of plaintext.\r\n\r\n3. A MAC is generated from the one byte of data and the MAC key. This MAC is appended to the plaintext for the record to be encrypted prior to being encrypted.\r\n\r\n \r\n\r\nThe splitting of the encrypted records generated by the second and subsequent writes ensures that the attacker never sees a cipher text block that immediately precedes a cipher text block generated from their chosen plaintext. This ensures that it is impossible for an attacker to predict the IV that will be used to encrypt their chosen plain text and hence the attack cannot be executed.\r\n\r\n \r\n\r\nNote the following about first block splitting:\r\n\r\n - Splitting only occurs:\r\n\r\n o For negotiated cipher suites that use CBC mode.\r\n\r\n o For protocols SSLv3 or TLS v1.0.\r\n\r\n - Only application data packets are spilt. Handshake packets are not split,\r\n\r\n - Blocks of plaintext are split for each subsequent call to write data to the SSL connection after the first write is sent.\r\n\r\n \r\n\r\nFor RSA BSAFE SSL-J 6.1.2 and 5.1.4, record splitting is engineered to be enabled by default for vulnerable cipher suites, making the application secure by default. If required, the application can disable record splitting by setting the system property jsse.enableCBCProtection:\r\n\r\n \r\n\r\n\u2022 Using the following Java code:\r\n\r\n System.setProperty("jsse.enableCBCProtection", "false");\r\n\r\n \r\n\r\n OR\r\n\r\n \r\n\r\n\u2022 On the Java command line, passing the following argument:\r\n\r\n -Djsse.enableCBCProtection=\u201dfalse\u201d\r\n\r\n \r\n\r\nFor more information about setting security properties, see section System and Security Properties in the RSA BSAFE SSL-J Developer Guide.\r\n\r\n \r\n\r\n \r\n\r\nFor the Lucky Thirteen vulnerability:\r\n\r\nRSA BSAFE SSL-J 6.0.1 and 5.1.2 contain a patch that is designed to help ensure that MAC checking is time invariant in servers. Customers can also protect against the Lucky Thirteen attack by disabling CBC mode cipher suites on clients and servers. Cipher suites that use RC4 and, if TLS 1.2 is available, AES-GCM can be used.\r\n\r\n \r\n\r\n \r\n\r\nRSA recommends that customers on RSA BSAFE SSL-J 5.1.x (or lower) and 6.x upgrade to RSA BSAFE SSL-J 5.1.4 and 6.1.2 respectively to resolve both the BEAST and the Lucky Thirteen vulnerabilities.\r\n\r\n \r\n\r\nObtaining Downloads: \r\n\r\nTo request your upgrade of the software, please call your local support telephone number (contact phone numbers are available at http://www.emc.com/support/rsa/contact/phone-numbers.htm) for most expedient service. \r\n\r\nObtaining Documentation:\r\n\r\nTo obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link.\r\n\r\nSeverity Rating:\r\n\r\nFor an explanation of Severity Ratings, refer to the Knowledge Base Article, \u201cSecurity Advisories Severity Rating\u201d at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.\r\n\r\nObtaining More Information:\r\n\r\nFor more information about RSA products, visit the RSA web site at http://www.rsa.com.\r\n\r\nGetting Support and Service:\r\n\r\nFor customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab.\r\n\r\nGeneral Customer Support Information:\r\n\r\nhttp://www.emc.com/support/rsa/index.htm\r\n\r\nRSA SecurCare Online:\r\n\r\nhttps://knowledge.rsasecurity.com\r\n\r\nEOPS Policy:\r\n\r\nRSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details.\r\nhttp://www.emc.com/support/rsa/eops/index.htm\r\n\r\nSecurCare Online Security Advisories\r\n\r\nRSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nAbout RSA SecurCare Notes & Security Advisories Subscription\r\n\r\nRSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If you\u2019d like to stop receiving RSA SecurCare Notes & Security Advisories, or if you\u2019d like to change which RSA product family Notes & Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes & Security Advisories you no longer want to receive. Click the Submit button to save your selection.\r\n\r\nSincerely,\r\n\r\nRSA Customer Support\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Cygwin)\r\n\r\niEYEARECAAYFAlM9gG8ACgkQtjd2rKp+ALxfXACfcBq3ox0rrD8Xtn+ReCya0oB9\r\nhuMAn36FiacTbJug8gvKyI+9IA9tVQFR\r\n=I/i+\r\n-----END PGP SIGNATURE-----\r\n", "cvss3": {}, "published": "2014-04-07T00:00:00", "type": "securityvulns", "title": "ESA-2013-039: RSA BSAFE\u00ae SSL-J Multiple Vulnerabilities", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2011-3389"], "modified": "2014-04-07T00:00:00", "id": "SECURITYVULNS:DOC:30449", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30449", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "cve": [{"lastseen": "2023-09-09T10:56:01", "description": "IBM Cognos Express 9.0 before IFIX 2, 9.5 before IFIX 2, 10.1 before IFIX 2, and 10.2.1 before FP1 allows local users to obtain sensitive cleartext information by leveraging knowledge of a static decryption key.", "cvss3": {}, "published": "2014-03-25T20:55:00", "type": "cve", "title": "CVE-2013-5445", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5445"], "modified": "2017-08-29T01:33:00", "cpe": ["cpe:/a:ibm:cognos_express:9.0", "cpe:/a:ibm:cognos_express:9.5", "cpe:/a:ibm:cognos_express:10.2.1", "cpe:/a:ibm:cognos_express:10.1"], "id": "CVE-2013-5445", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5445", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:ibm:cognos_express:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cognos_express:10.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cognos_express:9.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cognos_express:10.2.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-09-09T10:55:46", "description": "Cross-site request forgery (CSRF) vulnerability in IBM Cognos Express 9.0 before IFIX 2, 9.5 before IFIX 2, 10.1 before IFIX 2, and 10.2.1 before FP1 allows remote attackers to hijack the authentication of arbitrary users.", "cvss3": {}, "published": "2014-03-25T20:55:00", "type": "cve", "title": "CVE-2013-5443", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5443"], "modified": "2017-08-29T01:33:00", "cpe": ["cpe:/a:ibm:cognos_express:9.0", "cpe:/a:ibm:cognos_express:9.5", "cpe:/a:ibm:cognos_express:10.2.1", "cpe:/a:ibm:cognos_express:10.1"], "id": "CVE-2013-5443", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5443", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ibm:cognos_express:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cognos_express:10.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cognos_express:9.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cognos_express:10.2.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-09-09T10:55:34", "description": "The server in IBM Cognos Express 9.0 before IFIX 2, 9.5 before IFIX 2, 10.1 before IFIX 2, and 10.2.1 before FP1 allows remote attackers to read encrypted credentials via unspecified vectors.", "cvss3": {}, "published": "2014-03-25T20:55:00", "type": "cve", "title": "CVE-2013-5444", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5444"], "modified": "2017-08-29T01:33:00", "cpe": ["cpe:/a:ibm:cognos_express:9.0", "cpe:/a:ibm:cognos_express:9.5", "cpe:/a:ibm:cognos_express:10.2.1", "cpe:/a:ibm:cognos_express:10.1"], "id": "CVE-2013-5444", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5444", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:ibm:cognos_express:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cognos_express:10.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cognos_express:9.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:cognos_express:10.2.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-10-01T06:36:31", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and availability via unknown vectors related to Libraries. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to \"XML security and the class loader.\"", "cvss3": {}, "published": "2013-06-18T22:55:00", "type": "cve", "title": "CVE-2013-2407", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2407"], "modified": "2022-05-13T14:53:00", "cpe": ["cpe:/a:sun:jdk:1.6.0", "cpe:/a:sun:jre:1.6.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jdk:1.7.0"], "id": "CVE-2013-2407", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2407", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "cpe23": ["cpe:2.3:a:oracle:jdk:1.6.0:update37:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update24:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update41:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_14:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_15:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_6:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_17:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update37:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update45:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update29:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update25:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update22:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_16:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update41:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update13:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update21:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update25:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update23:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_16:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update33:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_14:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_18:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update27:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update26:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update39:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_7:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_21:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update35:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update30:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update27:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update43:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update32:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_17:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update34:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_21:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update39:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update35:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update33:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update17:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_18:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update43:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update38:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_3:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update31:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update45:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_15:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update15:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update30:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update34:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update24:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update1_b06:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update31:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update23:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update32:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update29:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update21:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update38:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update26:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update22:*:*:*:*:*:*"]}, {"lastseen": "2023-10-01T00:20:43", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to \"insufficient validation of raster parameters\" in awt_parseImage.c, which triggers memory corruption.", "cvss3": {}, "published": "2013-02-02T00:55:00", "type": "cve", "title": "CVE-2013-1480", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1480"], "modified": "2022-05-13T14:52:00", "cpe": ["cpe:/a:sun:jdk:1.4.2_31", "cpe:/a:sun:jre:1.4.2_26", "cpe:/a:sun:jre:1.4.2_16", "cpe:/a:sun:jdk:1.4.2_8", "cpe:/a:sun:jdk:1.4.2_14", "cpe:/a:sun:jre:1.4.2_6", "cpe:/a:sun:jdk:1.4.2_22", "cpe:/a:sun:jdk:1.4.2_13", "cpe:/a:sun:jdk:1.4.2_11", "cpe:/a:oracle:jre:1.6.0", "cpe:/a:sun:jdk:1.4.2_15", "cpe:/a:sun:jdk:1.4.2_18", "cpe:/a:sun:jdk:1.4.2_25", "cpe:/a:sun:jre:1.4.2_22", "cpe:/a:sun:jre:1.4.2_21", "cpe:/a:sun:jre:1.4.2_13", "cpe:/a:sun:jdk:1.4.2_2", "cpe:/a:sun:jdk:1.4.2_34", "cpe:/a:sun:jdk:1.4.2_32", "cpe:/a:sun:jdk:1.4.2_28", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:sun:jre:1.4.2_28", "cpe:/a:sun:jdk:1.4.2_12", "cpe:/a:sun:jdk:1.6.0", "cpe:/a:sun:jdk:1.4.2_10", "cpe:/a:sun:jre:1.4.2_34", "cpe:/a:sun:jdk:1.5.0", "cpe:/a:sun:jre:1.4.2_17", "cpe:/a:sun:jdk:1.4.2_33", "cpe:/a:sun:jdk:1.4.2_17", "cpe:/a:sun:jre:1.4.2_27", "cpe:/a:sun:jre:1.4.2", "cpe:/a:sun:jre:1.4.2_11", "cpe:/a:sun:jdk:1.4.2_5", "cpe:/a:sun:jre:1.4.2_29", "cpe:/a:sun:jdk:1.4.2_26", "cpe:/a:sun:jdk:1.4.2_19", "cpe:/a:sun:jdk:1.4.2_35", "cpe:/a:sun:jdk:1.4.2_36", "cpe:/a:sun:jre:1.6.0", "cpe:/a:sun:jdk:1.4.2_23", "cpe:/a:oracle:jdk:1.4.2_40", "cpe:/a:oracle:jre:1.4.2_38", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:sun:jdk:1.4.2", "cpe:/a:oracle:jre:1.4.2_40", "cpe:/a:oracle:jdk:1.4.2_38", "cpe:/a:sun:jre:1.4.2_3", "cpe:/a:sun:jdk:1.4.2_3", "cpe:/a:sun:jdk:1.4.2_6", "cpe:/a:sun:jre:1.4.2_30", "cpe:/a:sun:jre:1.4.2_5", "cpe:/a:sun:jdk:1.4.2_30", "cpe:/a:sun:jdk:1.4.2_4", "cpe:/a:sun:jre:1.4.2_14", "cpe:/a:sun:jre:1.4.2_32", "cpe:/a:sun:jre:1.4.2_2", "cpe:/a:sun:jre:1.4.2_23", "cpe:/a:oracle:jdk:1.5.0", "cpe:/a:sun:jre:1.4.2_25", "cpe:/a:sun:jre:1.4.2_15", "cpe:/a:sun:jre:1.4.2_7", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:sun:jre:1.4.2_37", "cpe:/a:sun:jre:1.4.2_33", "cpe:/a:sun:jre:1.5.0", "cpe:/a:sun:jdk:1.4.2_7", "cpe:/a:sun:jre:1.4.2_36", "cpe:/a:sun:jdk:1.4.2_27", "cpe:/a:sun:jdk:1.4.2_9", "cpe:/a:sun:jdk:1.4.2_1", "cpe:/a:sun:jre:1.4.2_35", "cpe:/a:sun:jre:1.4.2_10", "cpe:/a:sun:jre:1.4.2_19", "cpe:/a:sun:jre:1.4.2_1", "cpe:/a:sun:jre:1.4.2_4", "cpe:/a:sun:jre:1.4.2_24", "cpe:/a:sun:jdk:1.4.2_29", "cpe:/a:sun:jre:1.4.2_9", "cpe:/a:sun:jdk:1.4.2_37", "cpe:/a:sun:jre:1.4.2_31", "cpe:/a:sun:jdk:1.4.2_16", "cpe:/a:sun:jre:1.4.2_18", "cpe:/a:oracle:jre:1.5.0", "cpe:/a:sun:jre:1.4.2_12", "cpe:/a:sun:jre:1.4.2_20", "cpe:/a:sun:jre:1.4.2_8"], "id": "CVE-2013-1480", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1480", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:sun:jdk:1.5.0:update5:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_29:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update36:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_32:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_25:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update37:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update29:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update27:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update36:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_13:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update27:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_6:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update17:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update24:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.4.2_38:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_10:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_11:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update6:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update21:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_14:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update18:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_15:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_23:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_17:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_25:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update11:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_17:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update6:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update37:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update5:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update14:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_10:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update9:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update13:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update31:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update26:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update29:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update25:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update22:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_27:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update9:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_36:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update31:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update18:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_16:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_2:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update22:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update23:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update16:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_29:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_2:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update10:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_27:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update25:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update23:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_26:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update14:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_16:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_22:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update33:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_14:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_18:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update27:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update28:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update26:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.4.2_38:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update24:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_21:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update35:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update3:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update30:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update16:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.4.2_40:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update27:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update33:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_16:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_37:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update7:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update4:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_35:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update25:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_13:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update8:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update32:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update28:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update24:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_12:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_33:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_11:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_7:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_17:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_37:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_15:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_31:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update34:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_23:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_18:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_5:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_16:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_21:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_35:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update22:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update8:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_31:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_1:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_19:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update12:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_36:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update15:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update35:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update33:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_7:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_28:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update12:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.4.2_40:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_26:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update4:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_18:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update33:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_15:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_7:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_6:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_28:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_30:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update38:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update38:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_18:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update17:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_3:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update31:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_24:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_15:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_12:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update7_b03:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update13:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_14:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update30:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update34:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_34:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update21:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update24:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_14:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_30:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update29:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_21:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update20:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update1_b06:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update31:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_33:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update23:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update15:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update32:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update20:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_5:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update23:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_19:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_9:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_17:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update38:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_9:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update29:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_32:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update11_b03:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update38:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update26:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update11:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update26:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_8:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_22:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update25:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update22:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_20:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update10:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_34:*:*:*:*:*:*:*"]}, {"lastseen": "2023-10-01T00:20:04", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to \"insufficient validation of raster parameters\" that can trigger an integer overflow and memory corruption.", "cvss3": {}, "published": "2013-02-02T00:55:00", "type": "cve", "title": "CVE-2013-1478", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1478"], "modified": "2022-05-13T14:52:00", "cpe": ["cpe:/a:sun:jdk:1.4.2_31", "cpe:/a:sun:jre:1.4.2_26", "cpe:/a:sun:jre:1.4.2_16", "cpe:/a:sun:jdk:1.4.2_8", "cpe:/a:sun:jdk:1.4.2_14", "cpe:/a:sun:jre:1.4.2_6", "cpe:/a:sun:jdk:1.4.2_22", "cpe:/a:sun:jdk:1.4.2_13", "cpe:/a:sun:jdk:1.4.2_11", "cpe:/a:oracle:jre:1.6.0", "cpe:/a:sun:jdk:1.4.2_15", "cpe:/a:sun:jdk:1.4.2_18", "cpe:/a:sun:jdk:1.4.2_25", "cpe:/a:sun:jre:1.4.2_22", "cpe:/a:sun:jre:1.4.2_21", "cpe:/a:sun:jre:1.4.2_13", "cpe:/a:sun:jdk:1.4.2_2", "cpe:/a:sun:jdk:1.4.2_34", "cpe:/a:sun:jdk:1.4.2_32", "cpe:/a:sun:jdk:1.4.2_28", "cpe:/a:oracle:jdk:1.7.0", "cpe:/a:sun:jre:1.4.2_28", "cpe:/a:sun:jdk:1.4.2_12", "cpe:/a:sun:jdk:1.6.0", "cpe:/a:sun:jdk:1.4.2_10", "cpe:/a:sun:jre:1.4.2_34", "cpe:/a:sun:jdk:1.5.0", "cpe:/a:sun:jre:1.4.2_17", "cpe:/a:sun:jdk:1.4.2_33", "cpe:/a:sun:jdk:1.4.2_17", "cpe:/a:sun:jre:1.4.2_27", "cpe:/a:sun:jre:1.4.2", "cpe:/a:sun:jre:1.4.2_11", "cpe:/a:sun:jdk:1.4.2_5", "cpe:/a:sun:jre:1.4.2_29", "cpe:/a:sun:jdk:1.4.2_26", "cpe:/a:sun:jdk:1.4.2_19", "cpe:/a:sun:jdk:1.4.2_35", "cpe:/a:sun:jdk:1.4.2_36", "cpe:/a:sun:jre:1.6.0", "cpe:/a:sun:jdk:1.4.2_23", "cpe:/a:oracle:jdk:1.4.2_40", "cpe:/a:oracle:jre:1.4.2_38", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:sun:jdk:1.4.2", "cpe:/a:oracle:jre:1.4.2_40", "cpe:/a:oracle:jdk:1.4.2_38", "cpe:/a:sun:jre:1.4.2_3", "cpe:/a:sun:jdk:1.4.2_3", "cpe:/a:sun:jdk:1.4.2_6", "cpe:/a:sun:jre:1.4.2_30", "cpe:/a:sun:jre:1.4.2_5", "cpe:/a:sun:jdk:1.4.2_30", "cpe:/a:sun:jdk:1.4.2_4", "cpe:/a:sun:jre:1.4.2_14", "cpe:/a:sun:jre:1.4.2_32", "cpe:/a:sun:jre:1.4.2_2", "cpe:/a:sun:jre:1.4.2_23", "cpe:/a:oracle:jdk:1.5.0", "cpe:/a:sun:jre:1.4.2_25", "cpe:/a:sun:jre:1.4.2_15", "cpe:/a:sun:jre:1.4.2_7", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:sun:jre:1.4.2_37", "cpe:/a:sun:jre:1.4.2_33", "cpe:/a:sun:jre:1.5.0", "cpe:/a:sun:jdk:1.4.2_7", "cpe:/a:sun:jre:1.4.2_36", "cpe:/a:sun:jdk:1.4.2_27", "cpe:/a:sun:jdk:1.4.2_9", "cpe:/a:sun:jdk:1.4.2_1", "cpe:/a:sun:jre:1.4.2_35", "cpe:/a:sun:jre:1.4.2_10", "cpe:/a:sun:jre:1.4.2_19", "cpe:/a:sun:jre:1.4.2_1", "cpe:/a:sun:jre:1.4.2_4", "cpe:/a:sun:jre:1.4.2_24", "cpe:/a:sun:jdk:1.4.2_29", "cpe:/a:sun:jre:1.4.2_9", "cpe:/a:sun:jdk:1.4.2_37", "cpe:/a:sun:jre:1.4.2_31", "cpe:/a:sun:jdk:1.4.2_16", "cpe:/a:sun:jre:1.4.2_18", "cpe:/a:oracle:jre:1.5.0", "cpe:/a:sun:jre:1.4.2_12", "cpe:/a:sun:jre:1.4.2_20", "cpe:/a:sun:jre:1.4.2_8"], "id": "CVE-2013-1478", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1478", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:sun:jdk:1.5.0:update5:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_29:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update36:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_32:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_25:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update37:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update29:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update27:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update36:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_13:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update27:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_6:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update17:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update24:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.4.2_38:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_10:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_11:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update6:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update21:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_14:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update18:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_15:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_23:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_17:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_25:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update11:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_17:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update6:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update37:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update5:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update14:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_10:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update9:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update13:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update31:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update26:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update29:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update25:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update22:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_27:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update9:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_36:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update31:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update18:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_16:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_2:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update22:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update23:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update16:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_29:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_2:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update10:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_27:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update25:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update23:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_26:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update14:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_16:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_22:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update33:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_14:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_18:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update27:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update28:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update26:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.4.2_38:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update24:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_21:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update35:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update3:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update30:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update16:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.4.2_40:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update27:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update33:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_16:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_37:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update7:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update4:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_35:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update25:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_13:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update8:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update32:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update28:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update24:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_12:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_33:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_11:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_7:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_17:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_37:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_15:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_31:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update34:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_23:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_18:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_5:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_16:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_21:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_35:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update22:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update8:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_31:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_1:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_19:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update12:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_36:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update15:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update35:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update33:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_7:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_28:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update12:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.4.2_40:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_26:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update4:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_18:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update33:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_15:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_7:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_6:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_28:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_30:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update38:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update38:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_18:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update17:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_3:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update31:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_24:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_15:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_12:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update7_b03:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update13:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_14:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update30:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update34:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_34:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update21:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update24:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_14:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_30:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update29:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_21:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update20:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update1_b06:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update31:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_33:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update23:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update15:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update32:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update20:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_5:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update23:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_19:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_9:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_17:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update38:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_9:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update29:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.4.2_32:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update11_b03:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update38:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update26:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update11:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update26:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_8:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_22:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update25:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update22:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_20:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update10:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.4.2_34:*:*:*:*:*:*:*"]}, {"lastseen": "2023-10-01T06:55:42", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect availability via unknown vectors related to Serialization. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper handling of circular references in ObjectStreamClass.", "cvss3": {}, "published": "2013-06-18T22:55:00", "type": "cve", "title": "CVE-2013-2450", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2450"], "modified": "2022-05-13T14:52:00", "cpe": ["cpe:/a:sun:jdk:1.6.0", "cpe:/a:sun:jre:1.6.0", "cpe:/a:sun:jdk:1.5.0", "cpe:/a:oracle:jre:1.5.0", "cpe:/a:oracle:jdk:1.6.0", "cpe:/a:oracle:jdk:1.5.0", "cpe:/a:sun:jre:1.5.0", "cpe:/a:oracle:jre:1.6.0", "cpe:/a:oracle:jre:1.7.0", "cpe:/a:oracle:jdk:1.7.0"], "id": "CVE-2013-2450", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2450", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:sun:jdk:1.5.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update36:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update37:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update29:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update27:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update36:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update27:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update17:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update24:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update41:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update6:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update21:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_14:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update18:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_15:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_6:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update11:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update45:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_17:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update6:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update37:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update5:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update14:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update40:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update13:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update31:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update26:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update45:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update29:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update25:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update22:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update9:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update31:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update18:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_16:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update22:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update41:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update40:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update13:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update23:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update16:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update21:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update25:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update23:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update14:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_16:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update33:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_14:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update41:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_18:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update27:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update28:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update26:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update39:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_7:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update24:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_21:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update35:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update3:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update30:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update16:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update27:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update43:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update33:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_19:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update7:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update4:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update25:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update8:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update32:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update28:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update24:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update19:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_17:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update34:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update41:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_21:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update22:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update8:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_4:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update12:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update39:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update15:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update1:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update35:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update33:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update17:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update12:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update4:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_18:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update33:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update43:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update38:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update38:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update17:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_3:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update31:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update45:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_15:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update7_b03:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update13:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update15:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update30:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update34:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.5.0:update39:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update21:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update24:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update29:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update20:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update2:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update1_b06:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update31:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_3:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update23:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update15:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.6.0:update32:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update20:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.6.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update39:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update23:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update38:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update29:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdk:1.7.0:update21:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_20:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update11_b03:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update38:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update26:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update11:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.5.0:update45:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update26:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:*", "cpe:2.3:a:sun:jdk:1.5.0:update25:*:*:*:*:*:*", "cpe:2.3:a:oracle:jre:1.6.0:update22:*:*:*:*:*:*", "cpe:2.3:a:sun:jre:1.5.0:update10:*:*:*:*:*:*"]}, {"lastseen": "2023-09-30T15:16:24", "description": "The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue.", "cvss3": {}, "published": "2013-02-08T19:55:00", "type": "cve", "title": "CVE-2013-0169", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2023-05-12T12:58:00", "cpe": ["cpe:/a:polarssl:polarssl:0.14.3", "cpe:/a:polarssl:polarssl:0.13.1", "cpe:/a:openssl:openssl:1.0.1d", "cpe:/a:polarssl:polarssl:0.12.1", "cpe:/a:polarssl:polarssl:1.1.4", "cpe:/a:openssl:openssl:1.0.0j", "cpe:/a:polarssl:polarssl:1.1.0", "cpe:/a:openssl:openssl:0.9.8x", "cpe:/a:polarssl:polarssl:0.10.0", "cpe:/a:polarssl:polarssl:0.11.1", "cpe:/a:polarssl:polarssl:0.14.2", "cpe:/a:polarssl:polarssl:0.11.0", "cpe:/a:polarssl:polarssl:0.10.1", "cpe:/a:oracle:openjdk:1.7.0", "cpe:/a:polarssl:polarssl:0.14.0", "cpe:/a:polarssl:polarssl:0.12.0", "cpe:/a:oracle:openjdk:1.6.0", "cpe:/a:polarssl:polarssl:0.99", "cpe:/a:polarssl:polarssl:1.0.0", "cpe:/a:polarssl:polarssl:1.1.3", "cpe:/a:polarssl:polarssl:1.1.2", "cpe:/a:polarssl:polarssl:1.1.1"], "id": "CVE-2013-0169", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:openjdk:1.6.0:update4:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.7.0:update6:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update12:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.7.0:update9:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update6:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update16:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update29:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update7:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.7.0:-:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update24:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update35:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.7.0:update5:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update1:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update10:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update17:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.7.0:update13:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update14:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update38:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update23:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update22:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update11:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update19:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update25:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.13.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update33:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update3:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.99:pre5:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update13:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.11.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:-:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update30:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update21:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update26:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update31:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update32:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.7.0:update4:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.99:pre1:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update34:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.99:pre4:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.99:pre3:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update2:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:0.9.8x:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update18:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.7.0:update7:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.7.0:update11:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update15:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update20:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.0j:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update27:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.7.0:update10:*:*:*:*:*:*", "cpe:2.3:a:oracle:openjdk:1.6.0:update37:*:*:*:*:*:*"]}, {"lastseen": "2023-10-01T01:16:54", "description": "The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.", "cvss3": {}, "published": "2013-02-08T19:55:00", "type": "cve", "title": "CVE-2013-1623", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1623"], "modified": "2014-02-21T04:58:00", "cpe": ["cpe:/a:yassl:cyassl:1.4.0", "cpe:/a:yassl:cyassl:0.9.9", "cpe:/a:yassl:cyassl:2.0.8", "cpe:/a:yassl:cyassl:0.9.6", "cpe:/a:yassl:cyassl:0.6.3", "cpe:/a:yassl:cyassl:1.0.0", "cpe:/a:yassl:cyassl:1.2.0", "cpe:/a:yassl:cyassl:0.6.0", "cpe:/a:yassl:cyassl:1.8.0", "cpe:/a:yassl:cyassl:1.3.0", "cpe:/a:yassl:cyassl:1.6.0", "cpe:/a:yassl:cyassl:1.5.0", "cpe:/a:yassl:cyassl:1.0.6", "cpe:/a:yassl:cyassl:0.6.2", "cpe:/a:yassl:cyassl:2.0.6", "cpe:/a:yassl:cyassl:2.2.0", "cpe:/a:yassl:cyassl:2.4.6", "cpe:/a:yassl:cyassl:2.4.0", "cpe:/a:yassl:cyassl:0.9.8", "cpe:/a:yassl:cyassl:0.9.0", "cpe:/a:yassl:cyassl:1.5.4", "cpe:/a:yassl:cyassl:2.3.0", "cpe:/a:yassl:cyassl:0.5.0", "cpe:/a:yassl:cyassl:0.3.0", "cpe:/a:yassl:cyassl:1.0.2", "cpe:/a:yassl:cyassl:1.9.0", "cpe:/a:yassl:cyassl:1.0.3", "cpe:/a:yassl:cyassl:1.6.5", "cpe:/a:yassl:cyassl:0.8.0", "cpe:/a:yassl:cyassl:1.5.6", "cpe:/a:yassl:cyassl:2.0.2", "cpe:/a:yassl:cyassl:2.0.0", "cpe:/a:yassl:cyassl:0.5.5", "cpe:/a:yassl:cyassl:1.1.0", "cpe:/a:yassl:cyassl:0.2.0", "cpe:/a:yassl:cyassl:0.4.0"], "id": "CVE-2013-1623", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1623", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:yassl:cyassl:0.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:0.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:2.0.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:0.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.5.6:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:2.4.6:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:0.9.9:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:2.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:0.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:0.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:0.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:0.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:0.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:0.9.6:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:0.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.0.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:2.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:0.9.8:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:0.5.5:*:*:*:*:*:*:*", "cpe:2.3:a:yassl:cyassl:1.3.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:29:09", "description": "The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-05-05T01:59:00", "type": "cve", "title": "CVE-2016-2107", "cwe": ["CWE-200", "CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2016-2107"], "modified": "2022-12-13T12:15:00", "cpe": ["cpe:/o:google:android:4.4.2", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.2", "cpe:/o:google:android:4.0.4", "cpe:/a:hp:helion_openstack:2.1.2", "cpe:/o:google:android:4.1.2", "cpe:/a:openssl:openssl:1.0.2a", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:15.10", "cpe:/o:google:android:4.0", "cpe:/o:google:android:4.3", "cpe:/a:openssl:openssl:1.0.2f", "cpe:/o:google:android:4.4.3", "cpe:/o:google:android:5.1", "cpe:/o:google:android:4.1", "cpe:/o:redhat:enterprise_linux_hpc_node_eus:7.2", "cpe:/o:google:android:4.4", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/o:opensuse:opensuse:13.2", "cpe:/o:opensuse:leap:42.1", "cpe:/a:nodejs:node.js:4.1.2", "cpe:/o:redhat:enterprise_linux_hpc_node:7.0", "cpe:/o:redhat:enterprise_linux_server_eus:7.2", "cpe:/o:google:android:4.0.1", "cpe:/a:nodejs:node.js:6.0.0", "cpe:/a:hp:helion_openstack:2.1.4", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/a:openssl:openssl:1.0.1s", "cpe:/a:openssl:openssl:1.0.2d", "cpe:/o:google:android:4.0.2", "cpe:/o:google:android:4.2", "cpe:/o:google:android:4.3.1", "cpe:/a:hp:helion_openstack:2.1", "cpe:/a:openssl:openssl:1.0.2", "cpe:/a:hp:helion_openstack:2.0", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/o:google:android:4.2.1", "cpe:/o:google:android:4.0.3", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/o:google:android:5.0.1", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:google:android:4.2.2", "cpe:/a:openssl:openssl:1.0.2e", "cpe:/a:openssl:openssl:1.0.2b", "cpe:/o:google:android:5.1.0", "cpe:/o:redhat:enterprise_linux_hpc_node:6.0", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:google:android:5.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/a:openssl:openssl:1.0.2g", "cpe:/o:google:android:4.4.1", "cpe:/a:openssl:openssl:1.0.2c"], "id": "CVE-2016-2107", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2107", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:nodejs:node.js:4.1.2:*:*:*:-:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:helion_openstack:2.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*", "cpe:2.3:a:hp:helion_openstack:2.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*", "cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:hp:helion_openstack:2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:hp:helion_openstack:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.1s:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:nodejs:node.js:6.0.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*", "cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-23T14:03:13", "description": "ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote attackers to achieve partial plaintext recovery (for a CBC based ciphersuite) via a timing-based side-channel attack. This vulnerability exists because of an incorrect fix (with a wrong SHA-384 calculation) for CVE-2013-0169.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-28T17:29:00", "type": "cve", "title": "CVE-2018-0497", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2018-0497"], "modified": "2020-02-10T16:15:00", "cpe": ["cpe:/o:debian:debian_linux:9.0", "cpe:/o:debian:debian_linux:8.0"], "id": "CVE-2018-0497", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0497", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-10-01T01:29:32", "description": "The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.", "cvss3": {}, "published": "2013-02-08T19:55:00", "type": "cve", "title": "CVE-2013-1624", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1624"], "modified": "2018-10-30T16:26:00", "cpe": ["cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.15", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.21", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.24", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.5", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.32", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.35", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.25", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.45", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.12", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.33", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.4", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.40", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.07", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.04", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.19", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.18", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.01", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.42", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.1", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.6.1", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.02", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.14", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.7", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.29", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.34", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.47", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.05", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.43", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.27", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.03", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.17", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.28", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.30", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.23", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.10", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.13", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.44", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.09", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.37", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.11", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.16", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.38", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.31", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:0.0", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.36", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.0", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.46", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.08", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.20", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.3", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.06", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.22", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.2", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.39", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.26", "cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.41"], "id": "CVE-2013-1624", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1624", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.02:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.26:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.01:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.31:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.21:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.05:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:0.0:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.17:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.19:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.3:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.7:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.04:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.16:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.23:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.10:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.4:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.36:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.29:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.28:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.09:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.44:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.22:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.5:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.13:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.15:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.30:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.33:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.08:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.35:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.46:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.2:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.27:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.47:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.24:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.25:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.38:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.45:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.43:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.34:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.14:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.18:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.42:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.39:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.03:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.07:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.20:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.12:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.11:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.32:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.06:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.40:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.37:*:*:*:*:*:*:*", "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.41:*:*:*:*:*:*:*"]}, {"lastseen": "2023-10-01T01:16:06", "description": "Array index error in the SSL module in PolarSSL before 1.2.5 might allow remote attackers to cause a denial of service via vectors involving a crafted padding-length value during validation of CBC padding in a TLS session, a different vulnerability than CVE-2013-0169.", "cvss3": {}, "published": "2013-02-08T19:55:00", "type": "cve", "title": "CVE-2013-1621", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1621"], "modified": "2013-03-08T04:12:00", "cpe": ["cpe:/a:polarssl:polarssl:0.14.3", "cpe:/a:polarssl:polarssl:0.13.1", "cpe:/a:polarssl:polarssl:1.2.2", "cpe:/a:polarssl:polarssl:0.12.1", "cpe:/a:polarssl:polarssl:1.1.4", "cpe:/a:polarssl:polarssl:1.2.4", "cpe:/a:polarssl:polarssl:1.2.0", "cpe:/a:polarssl:polarssl:1.1.0", "cpe:/a:polarssl:polarssl:0.10.0", "cpe:/a:polarssl:polarssl:1.2.3", "cpe:/a:polarssl:polarssl:0.11.1", "cpe:/a:polarssl:polarssl:0.14.2", "cpe:/a:polarssl:polarssl:0.11.0", "cpe:/a:polarssl:polarssl:0.10.1", "cpe:/a:polarssl:polarssl:0.14.0", "cpe:/a:polarssl:polarssl:0.12.0", "cpe:/a:polarssl:polarssl:1.1.5", "cpe:/a:polarssl:polarssl:1.2.1", "cpe:/a:polarssl:polarssl:0.99", "cpe:/a:polarssl:polarssl:1.0.0", "cpe:/a:polarssl:polarssl:1.1.3", "cpe:/a:polarssl:polarssl:1.1.2", "cpe:/a:polarssl:polarssl:1.1.1"], "id": "CVE-2013-1621", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1621", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:polarssl:polarssl:0.14.3:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.11.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.0:rc0:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.13.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.99:pre5:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.11.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.14.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.99:pre1:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.99:pre4:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.99:pre3:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:0.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:polarssl:polarssl:1.1.4:*:*:*:*:*:*:*"]}, {"lastseen": "2023-10-01T01:15:36", "description": "The TLS implementation in Opera before 12.13 does not properly consider timing side-channel attacks on a MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.", "cvss3": {}, "published": "2013-02-08T19:55:00", "type": "cve", "title": "CVE-2013-1618", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1618"], "modified": "2013-03-08T04:12:00", "cpe": ["cpe:/a:opera:opera_browser:12.01", "cpe:/a:opera:opera_browser:12.11", "cpe:/a:opera:opera_browser:12.12", "cpe:/a:opera:opera_browser:12.02", "cpe:/a:opera:opera_browser:12.10", "cpe:/a:opera:opera_browser:12.00"], "id": "CVE-2013-1618", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1618", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:opera:opera_browser:12.00:beta:*:*:*:*:*:*", "cpe:2.3:a:opera:opera_browser:12.02:*:*:*:*:*:*:*", "cpe:2.3:a:opera:opera_browser:12.11:*:*:*:*:*:*:*", "cpe:2.3:a:opera:opera_browser:12.00:*:*:*:*:*:*:*", "cpe:2.3:a:opera:opera_browser:12.01:*:*:*:*:*:*:*", "cpe:2.3:a:opera:opera_browser:12.10:beta:*:*:*:*:*:*", "cpe:2.3:a:opera:opera_browser:12.12:*:*:*:*:*:*:*", "cpe:2.3:a:opera:opera_browser:12.10:*:*:*:*:*:*:*"]}, {"lastseen": "2023-10-01T01:20:31", "description": "The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.", "cvss3": {}, "published": "2013-02-08T19:55:00", "type": "cve", "title": "CVE-2013-1620", "cwe": ["CWE-203"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1620"], "modified": "2022-12-21T17:30:00", "cpe": ["cpe:/a:oracle:traffic_director:11.1.1.7.0", "cpe:/a:oracle:glassfish_communications_server:2.0", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:redhat:enterprise_linux_workstation:5.0", "cpe:/a:oracle:iplanet_web_server:6.1", "cpe:/a:oracle:enterprise_manager_ops_center:12.1", "cpe:/o:redhat:enterprise_linux_server:6.0", "cpe:/a:oracle:enterprise_manager_ops_center:12.2", "cpe:/a:oracle:glassfish_server:2.1.1", "cpe:/a:oracle:iplanet_web_server:7.0", "cpe:/o:redhat:enterprise_linux_eus:5.9", "cpe:/o:redhat:enterprise_linux_server:5.0", "cpe:/a:oracle:vm_server:3.2", "cpe:/a:oracle:opensso:3.0-03", "cpe:/o:redhat:enterprise_linux_desktop:5.0", "cpe:/o:canonical:ubuntu_linux:10.04", "cpe:/o:canonical:ubuntu_linux:11.10", "cpe:/o:canonical:ubuntu_linux:12.10", "cpe:/o:redhat:enterprise_linux_desktop:6.0", "cpe:/a:oracle:enterprise_manager_ops_center:11.1", "cpe:/a:oracle:iplanet_web_proxy_server:4.0", "cpe:/o:redhat:enterprise_linux_server_aus:5.9", "cpe:/a:oracle:traffic_director:11.1.1.6.0", "cpe:/o:redhat:enterprise_linux_workstation:6.0"], "id": "CVE-2013-1620", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1620", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:oracle:enterprise_manager_ops_center:12.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:vm_server:3.2:*:*:*:*:*:x86:*", "cpe:2.3:o:redhat:enterprise_linux_eus:5.9:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:iplanet_web_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:traffic_director:11.1.1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:iplanet_web_proxy_server:4.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_aus:5.9:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:glassfish_server:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:opensso:3.0-03:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:glassfish_communications_server:2.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:iplanet_web_server:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:traffic_director:11.1.1.6.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-10-01T04:49:23", "description": "The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169.", "cvss3": {}, "published": "2013-07-03T18:55:00", "type": "cve", "title": "CVE-2013-2116", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-2116"], "modified": "2023-02-13T00:28:00", "cpe": ["cpe:/a:gnu:gnutls:2.12.23"], "id": "CVE-2013-2116", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2116", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:gnu:gnutls:2.12.23:*:*:*:*:*:*:*"]}, {"lastseen": "2023-10-01T01:17:51", "description": "The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.", "cvss3": {}, "published": "2013-02-08T19:55:00", "type": "cve", "title": "CVE-2013-1619", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1619"], "modified": "2014-03-26T04:46:00", "cpe": ["cpe:/a:gnu:gnutls:2.3.0", "cpe:/a:gnu:gnutls:2.12.16", "cpe:/a:gnu:gnutls:2.2.3", "cpe:/a:gnu:gnutls:2.12.0", "cpe:/a:gnu:gnutls:2.0.3", "cpe:/a:gnu:gnutls:2.2.5", "cpe:/a:gnu:gnutls:2.5.0", "cpe:/a:gnu:gnutls:2.1.0", "cpe:/a:gnu:gnutls:2.3.6", "cpe:/a:gnu:gnutls:2.12.17", "cpe:/a:gnu:gnutls:2.6.0", "cpe:/a:gnu:gnutls:2.6.6", "cpe:/a:gnu:gnutls:2.12.9", "cpe:/a:gnu:gnutls:3.0.12", "cpe:/a:gnu:gnutls:2.12.10", "cpe:/a:gnu:gnutls:2.6.4", "cpe:/a:gnu:gnutls:2.12.1", "cpe:/a:gnu:gnutls:3.0.16", "cpe:/a:gnu:gnutls:3.1.2", "cpe:/a:gnu:gnutls:2.10.5", "cpe:/a:gnu:gnutls:2.12.18", "cpe:/a:gnu:gnutls:2.10.2", "cpe:/a:gnu:gnutls:2.10.0", "cpe:/a:gnu:gnutls:2.7.4", "cpe:/a:gnu:gnutls:2.1.7", "cpe:/a:gnu:gnutls:2.1.8", "cpe:/a:gnu:gnutls:2.10.1", "cpe:/a:gnu:gnutls:2.12.20", "cpe:/a:gnu:gnutls:3.0.17", "cpe:/a:gnu:gnutls:3.0.8", "cpe:/a:gnu:gnutls:2.12.2", "cpe:/a:gnu:gnutls:2.0.2", "cpe:/a:gnu:gnutls:2.12.13", "cpe:/a:gnu:gnutls:2.12.7", "cpe:/a:gnu:gnutls:3.1.5", "cpe:/a:gnu:gnutls:2.6.1", "cpe:/a:gnu:gnutls:2.3.9", "cpe:/a:gnu:gnutls:3.0.7", "cpe:/a:gnu:gnutls:3.0.15", "cpe:/a:gnu:gnutls:2.4.1", "cpe:/a:gnu:gnutls:2.3.7", "cpe:/a:gnu:gnutls:3.0.26", "cpe:/a:gnu:gnutls:2.2.4", "cpe:/a:gnu:gnutls:2.3.1", "cpe:/a:gnu:gnutls:2.10.4", "cpe:/a:gnu:gnutls:2.8.3", "cpe:/a:gnu:gnutls:2.3.5", "cpe:/a:gnu:gnutls:3.0.0", "cpe:/a:gnu:gnutls:2.12.22", "cpe:/a:gnu:gnutls:3.0.25", "cpe:/a:gnu:gnutls:2.8.1", "cpe:/a:gnu:gnutls:3.0.1", "cpe:/a:gnu:gnutls:2.3.3", "cpe:/a:gnu:gnutls:3.0.6", "cpe:/a:gnu:gnutls:3.0.11", "cpe:/a:gnu:gnutls:2.3.4", "cpe:/a:gnu:gnutls:2.8.5", "cpe:/a:gnu:gnutls:3.0.18", "cpe:/a:gnu:gnutls:3.0.13", "cpe:/a:gnu:gnutls:3.0.4", "cpe:/a:gnu:gnutls:3.1.4", "cpe:/a:gnu:gnutls:3.0.3", "cpe:/a:gnu:gnutls:2.8.2", "cpe:/a:gnu:gnutls:2.1.6", "cpe:/a:gnu:gnutls:2.1.1", "cpe:/a:gnu:gnutls:3.0.2", "cpe:/a:gnu:gnutls:3.0.14", "cpe:/a:gnu:gnutls:3.0.21", "cpe:/a:gnu:gnutls:2.3.2", "cpe:/a:gnu:gnutls:2.3.10", "cpe:/a:gnu:gnutls:3.0.20", "cpe:/a:gnu:gnutls:2.1.5", "cpe:/a:gnu:gnutls:2.12.8", "cpe:/a:gnu:gnutls:2.0.1", "cpe:/a:gnu:gnutls:2.3.11", "cpe:/a:gnu:gnutls:2.12.19", "cpe:/a:gnu:gnutls:2.8.4", "cpe:/a:gnu:gnutls:3.0.27", "cpe:/a:gnu:gnutls:3.0.23", "cpe:/a:gnu:gnutls:2.4.0", "cpe:/a:gnu:gnutls:2.12.21", "cpe:/a:gnu:gnutls:2.12.11", "cpe:/a:gnu:gnutls:3.1.1", "cpe:/a:gnu:gnutls:2.4.3", "cpe:/a:gnu:gnutls:3.1.3", "cpe:/a:gnu:gnutls:2.1.2", "cpe:/a:gnu:gnutls:2.8.6", "cpe:/a:gnu:gnutls:2.12.6", "cpe:/a:gnu:gnutls:3.0.9", "cpe:/a:gnu:gnutls:3.0.5", "cpe:/a:gnu:gnutls:2.2.0", "cpe:/a:gnu:gnutls:3.0.24", "cpe:/a:gnu:gnutls:2.4.2", "cpe:/a:gnu:gnutls:2.12.15", "cpe:/a:gnu:gnutls:2.12.3", "cpe:/a:gnu:gnutls:2.1.4", "cpe:/a:gnu:gnutls:2.10.3", "cpe:/a:gnu:gnutls:3.0.19", "cpe:/a:gnu:gnutls:2.1.3", "cpe:/a:gnu:gnutls:3.1.0", "cpe:/a:gnu:gnutls:2.2.1", "cpe:/a:gnu:gnutls:3.0", "cpe:/a:gnu:gnutls:2.6.2", "cpe:/a:gnu:gnutls:2.12.6.1", "cpe:/a:gnu:gnutls:2.6.3", "cpe:/a:gnu:gnutls:2.8.0", "cpe:/a:gnu:gnutls:2.12.14", "cpe:/a:gnu:gnutls:3.0.10", "cpe:/a:gnu:gnutls:3.1.6", "cpe:/a:gnu:gnutls:2.0.4", "cpe:/a:gnu:gnutls:2.0.0", "cpe:/a:gnu:gnutls:2.12.5", "cpe:/a:gnu:gnutls:3.0.22", "cpe:/a:gnu:gnutls:2.2.2", "cpe:/a:gnu:gnutls:2.3.8", "cpe:/a:gnu:gnutls:2.12.4", "cpe:/a:gnu:gnutls:2.6.5", "cpe:/a:gnu:gnutls:2.12.12"], "id": "CVE-2013-1619", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1619", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:gnu:gnutls:2.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.10.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.6.5:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.19:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.25:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.23:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.17:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.15:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.24:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.8.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.8:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.7:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.10.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.6.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.10.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.4.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.10.5:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.18:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.6:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.11:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.21:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.14:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.6.6:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.18:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.9:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.10.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.8.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.5:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.27:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.13:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.10:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.16:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.4.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.6.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.19:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.20:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.10.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.8.5:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.26:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.20:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.22:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.17:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.3.9:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.8.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.2:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.22:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.12:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.21:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.7.4:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.8.6:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.12.15:*:*:*:*:*:*:*", "cpe:2.3:a:gnu:gnutls:2.1.2:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T17:29:31", "description": "Bugtraq ID:66361\r\nCVE ID:CVE-2013-5445\r\n\r\nIBM Cognos Express\u662f\u4e00\u6b3e\u4e3a\u6ee1\u8db3\u4e2d\u578b\u4f01\u4e1a\u7684\u9700\u6c42\u800c\u6784\u5efa\u7684\u5546\u4e1a\u667a\u80fd\u548c\u8ba1\u5212\u96c6\u6210\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nIBM Cognos Express\u5b58\u5728\u672a\u660e\u5b89\u5168\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u670d\u52a1\u5668\u4e0a\u7684\u52a0\u5bc6\u9a8c\u8bc1\u51ed\u636e\u3002\n0\nIBM Cognos Express 10.2.1 \r\nIBM Cognos Express 10.1 \r\nIBM Cognos Express 9.5 \r\nIBM Cognos Express 9.0\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://www-01.ibm.com/support/docview.wss?uid=swg21667626", "published": "2014-03-25T00:00:00", "title": "IBM Cognos Express\u654f\u611f\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-5445"], "modified": "2014-03-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61917", "id": "SSV:61917", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:29:20", "description": "Bugtraq ID:66357\r\nCVE ID:CVE-2013-5443\r\n\r\nIBM Cognos Express\u662f\u4e00\u6b3e\u4e3a\u6ee1\u8db3\u4e2d\u578b\u4f01\u4e1a\u7684\u9700\u6c42\u800c\u6784\u5efa\u7684\u5546\u4e1a\u667a\u80fd\u548c\u8ba1\u5212\u96c6\u6210\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nIBM Cognos Express\u5b58\u5728\u4e00\u4e2a\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u6784\u5efa\u6076\u610fURI\uff0c\u8bf1\u4f7f\u7528\u6237\u89e3\u6790\uff0c\u53ef\u4ee5\u76ee\u6807\u7528\u6237\u4e0a\u4e0b\u6587\u6267\u884c\u6076\u610f\u64cd\u4f5c\u3002\n0\nIBM Cognos Express 10.2.1 \r\nIBM Cognos Express 10.1 \r\nIBM Cognos Express 9.5 \r\nIBM Cognos Express 9.0\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\uff1a\r\nhttp://www-01.ibm.com/support/docview.wss?uid=swg21667626", "published": "2014-03-25T00:00:00", "title": "IBM Cognos Express\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-5443"], "modified": "2014-03-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61919", "id": "SSV:61919", "sourceData": "", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T17:29:39", "description": "Bugtraq ID:66362\r\nCVE ID:CVE-2013-5444\r\n\r\nIBM Cognos Express\u662f\u4e00\u6b3e\u4e3a\u6ee1\u8db3\u4e2d\u578b\u4f01\u4e1a\u7684\u9700\u6c42\u800c\u6784\u5efa\u7684\u5546\u4e1a\u667a\u80fd\u548c\u8ba1\u5212\u96c6\u6210\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nIBM Cognos Express\u4f7f\u7528\u9759\u6001\u5bc6\u94a5\u8fdb\u884c\u52a0\u5bc6\uff0c\u53ef\u5e2e\u52a9\u653b\u51fb\u8005\u5bf9\u4e0d\u80fd\u8bbf\u95ee\u7684\u654f\u611f\u4fe1\u606f\u8fdb\u884c\u89e3\u5bc6\u3002\n0\nIBM Cognos Express 10.2.1 \r\nIBM Cognos Express 10.1 \r\nIBM Cognos Express 9.5 \r\nIBM Cognos Express 9.0\n\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://www-01.ibm.com/support/docview.wss?uid=swg21667626", "published": "2014-03-25T00:00:00", "title": "IBM Cognos Express\u672c\u5730\u4fe1\u606f\u6cc4\u6f0f\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-5444"], "modified": "2014-03-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61918", "id": "SSV:61918", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": ""}], "ubuntucve": [{"lastseen": "2023-09-25T11:14:17", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component\nin Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through\nUpdate 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote\nattackers to affect confidentiality, integrity, and availability via\nvectors related to AWT. NOTE: the previous information is from the\nFebruary 2013 CPU. Oracle has not commented on claims from another vendor\nthat this issue is related to \"insufficient validation of raster\nparameters\" in awt_parseImage.c, which triggers memory corruption.", "cvss3": {}, "published": "2013-02-01T00:00:00", "type": "ubuntucve", "title": "CVE-2013-1480", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1480"], "modified": "2013-02-01T00:00:00", "id": "UB:CVE-2013-1480", "href": "https://ubuntu.com/security/CVE-2013-1480", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-25T05:58:46", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component\nin Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and\nOpenJDK 7, allows remote attackers to affect confidentiality and\navailability via unknown vectors related to Libraries. NOTE: the previous\ninformation is from the June 2013 CPU. Oracle has not commented on claims\nfrom another vendor that this issue is related to \"XML security and the\nclass loader.\"\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | in lucid+, NetX and the plugin moved to the icedtea-web package \n[jdstrand](<https://launchpad.net/~jdstrand>) | sun-java6 is not redistributable, no longer in the archive and no longer tracked sun-java5 is EOL upstream and no longer tracked as of 2013-06-19, upstream IcedTea updates are not available updates break the icedtea-web plugin and it will need this fix: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-June/023745.html\n", "cvss3": {}, "published": "2013-06-18T00:00:00", "type": "ubuntucve", "title": "CVE-2013-2407", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2407"], "modified": "2013-06-18T00:00:00", "id": "UB:CVE-2013-2407", "href": "https://ubuntu.com/security/CVE-2013-2407", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2023-09-25T05:48:08", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component\nin Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0\nUpdate 45 and earlier, and OpenJDK 7, allows remote attackers to affect\navailability via unknown vectors related to Serialization. NOTE: the\nprevious information is from the June 2013 CPU. Oracle has not commented on\nclaims from another vendor that this issue is related to improper handling\nof circular references in ObjectStreamClass.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | in lucid+, NetX and the plugin moved to the icedtea-web package \n[jdstrand](<https://launchpad.net/~jdstrand>) | sun-java6 is not redistributable, no longer in the archive and no longer tracked sun-java5 is EOL upstream and no longer tracked as of 2013-06-19, upstream IcedTea updates are not available updates break the icedtea-web plugin and it will need this fix: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-June/023745.html\n", "cvss3": {}, "published": "2013-06-18T00:00:00", "type": "ubuntucve", "title": "CVE-2013-2450", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2450"], "modified": "2013-06-18T00:00:00", "id": "UB:CVE-2013-2450", "href": "https://ubuntu.com/security/CVE-2013-2450", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-09-25T11:11:30", "description": "Unspecified vulnerability in the Java Runtime Environment (JRE) component\nin Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through\nUpdate 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote\nattackers to affect confidentiality, integrity, and availability via\nunknown vectors related to 2D. NOTE: the previous information is from the\nFebruary 2013 CPU. Oracle has not commented on claims from another vendor\nthat this issue is related to \"insufficient validation of raster\nparameters\" that can trigger an integer overflow and memory corruption.", "cvss3": {}, "published": "2013-02-01T00:00:00", "type": "ubuntucve", "title": "CVE-2013-1478", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1478"], "modified": "2013-02-01T00:00:00", "id": "UB:CVE-2013-1478", "href": "https://ubuntu.com/security/CVE-2013-1478", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-25T10:49:30", "description": "The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in\nOpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider\ntiming side-channel attacks on a MAC check requirement during the\nprocessing of malformed CBC padding, which allows remote attackers to\nconduct distinguishing attacks and plaintext-recovery attacks via\nstatistical analysis of timing data for crafted packets, aka the \"Lucky\nThirteen\" issue.\n\n#### Bugs\n\n * <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0169>\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699889>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | 1.0.1d has incorrect fix. Use 1.0.1e: \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | regression bug: http://rt.openssl.org/Ticket/Display.html?id=2975&user=guest&pass=guest 1.0.1e still contains another regression: another regression: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest OpenSSL fix reverted by 1732-2 because of regression (see: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1133333) (see: http://rt.openssl.org/Ticket/Display.html?id=3002) (see: bugs.debian.org/cgi-bin/bugreport.cgi?bug=701868)\n", "cvss3": {}, "published": "2013-02-08T00:00:00", "type": "ubuntucve", "title": "CVE-2013-0169", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2013-02-08T00:00:00", "id": "UB:CVE-2013-0169", "href": "https://ubuntu.com/security/CVE-2013-0169", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-25T10:49:30", "description": "The TLS implementation in the Bouncy Castle Java library before 1.48 and C#\nlibrary before 1.8 does not properly consider timing side-channel attacks\non a noncompliant MAC check operation during the processing of malformed\nCBC padding, which allows remote attackers to conduct distinguishing\nattacks and plaintext-recovery attacks via statistical analysis of timing\ndata for crafted packets, a related issue to CVE-2013-0169.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699885>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | list of commits may be incomplete \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | I read all diffs in crypto/tls/ directory since Lucky 13 patches, the two listed here were the only ones that looked related to this problem, the other updates were mostly for style fixes. \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | no reverse depends in main in precise+\n", "cvss3": {}, "published": "2013-02-08T00:00:00", "type": "ubuntucve", "title": "CVE-2013-1624", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1624"], "modified": "2013-02-08T00:00:00", "id": "UB:CVE-2013-1624", "href": "https://ubuntu.com/security/CVE-2013-1624", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-09-25T10:48:38", "description": "The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and\n3.1.x before 3.1.7 does not properly consider timing side-channel attacks\non a noncompliant MAC check operation during the processing of malformed\nCBC padding, which allows remote attackers to conduct distinguishing\nattacks and plaintext-recovery attacks via statistical analysis of timing\ndata for crafted packets, a related issue to CVE-2013-0169.\n\n#### Bugs\n\n * <https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1166634>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | LP: #1166634 is reported as a regression\n", "cvss3": {}, "published": "2013-02-08T00:00:00", "type": "ubuntucve", "title": "CVE-2013-1619", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1619"], "modified": "2013-02-08T00:00:00", "id": "UB:CVE-2013-1619", "href": "https://ubuntu.com/security/CVE-2013-1619", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-06-28T14:07:14", "description": "ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote\nattackers to achieve partial plaintext recovery (for a CBC based\nciphersuite) via a timing-based side-channel attack. This vulnerability\nexists because of an incorrect fix (with a wrong SHA-384 calculation) for\nCVE-2013-0169.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904821>\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-28T00:00:00", "type": "ubuntucve", "title": "CVE-2018-0497", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2018-0497"], "modified": "2018-07-28T00:00:00", "id": "UB:CVE-2018-0497", "href": "https://ubuntu.com/security/CVE-2018-0497", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-04T14:18:13", "description": "The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h\ndoes not consider memory allocation during a certain padding check, which\nallows remote attackers to obtain sensitive cleartext information via a\npadding-oracle attack against an AES CBC session. NOTE: this vulnerability\nexists because of an incorrect fix for CVE-2013-0169.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-05-03T00:00:00", "type": "ubuntucve", "title": "CVE-2016-2107", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2016-2107"], "modified": "2016-05-03T00:00:00", "id": "UB:CVE-2016-2107", "href": "https://ubuntu.com/security/CVE-2016-2107", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-25T06:18:07", "description": "The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS\n2.12.23 allows remote attackers to cause a denial of service (buffer\nover-read and crash) via a crafted padding length. NOTE: this might be due\nto an incorrect fix for CVE-2013-0169.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | introduced by Lucky 13 fix, only on 2.x\n", "cvss3": {}, "published": "2013-05-29T00:00:00", "type": "ubuntucve", "title": "CVE-2013-2116", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-2116"], "modified": "2013-05-29T00:00:00", "id": "UB:CVE-2013-2116", "href": "https://ubuntu.com/security/CVE-2013-2116", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-09-25T10:48:20", "description": "The TLS implementation in Mozilla Network Security Services (NSS) does not\nproperly consider timing side-channel attacks on a noncompliant MAC check\noperation during the processing of malformed CBC padding, which allows\nremote attackers to conduct distinguishing attacks and plaintext-recovery\nattacks via statistical analysis of timing data for crafted packets, a\nrelated issue to CVE-2013-0169.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699888>\n", "cvss3": {}, "published": "2013-02-08T00:00:00", "type": "ubuntucve", "title": "CVE-2013-1620", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1620"], "modified": "2013-02-08T00:00:00", "id": "UB:CVE-2013-1620", "href": "https://ubuntu.com/security/CVE-2013-1620", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-25T10:47:41", "description": "The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not\nproperly consider timing side-channel attacks on a noncompliant MAC check\noperation during the processing of malformed CBC padding, which allows\nremote attackers to conduct distinguishing attacks and plaintext-recovery\nattacks via statistical analysis of timing data for crafted packets, a\nrelated issue to CVE-2013-0169.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699886>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | no updates from upstream at this time \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | not mentioned in April CPU, but the code fixed in the Debian bug report is present, looks fixed\n", "cvss3": {}, "published": "2013-02-08T00:00:00", "type": "ubuntucve", "title": "CVE-2013-1623", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1623"], "modified": "2013-02-08T00:00:00", "id": "UB:CVE-2013-1623", "href": "https://ubuntu.com/security/CVE-2013-1623", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-25T10:50:55", "description": "crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1\nand 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote\nattackers to cause a denial of service (application crash) via crafted CBC\ndata.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699889>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[jdstrand](<https://launchpad.net/~jdstrand>) | only 1.0.1 \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | fix included in CVE-2013-0169 patches fix reverted in usn-1732-2 because of regression\n", "cvss3": {}, "published": "2013-02-08T00:00:00", "type": "ubuntucve", "title": "CVE-2012-2686", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2686", "CVE-2013-0169"], "modified": "2013-02-08T00:00:00", "id": "UB:CVE-2012-2686", "href": "https://ubuntu.com/security/CVE-2012-2686", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-09-25T10:47:15", "description": "Array index error in the SSL module in PolarSSL before 1.2.5 might allow\nremote attackers to cause a denial of service via vectors involving a\ncrafted padding-length value during validation of CBC padding in a TLS\nsession, a different vulnerability than CVE-2013-0169.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699887>\n", "cvss3": {}, "published": "2013-02-08T00:00:00", "type": "ubuntucve", "title": "CVE-2013-1621", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1621"], "modified": "2013-02-08T00:00:00", "id": "UB:CVE-2013-1621", "href": "https://ubuntu.com/security/CVE-2013-1621", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}}], "veracode": [{"lastseen": "2023-04-18T13:04:52", "description": "openjdk is vulnerable to sandbox restrictions bypass. An unspecified vulnerability allows remote attackers to affect confidentiality, integrity, and availability via vectors related to `AWT`.\n", "cvss3": {}, "published": "2019-05-02T04:52:33", "type": "veracode", "title": "Sandbox Restrictions Bypass", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1480"], "modified": "2022-05-13T16:42:50", "id": "VERACODE:14498", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-14498/summary", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-04-18T13:37:21", "description": "openjdk is vulnerable to sandbox restrictions bypass. An unspecified vulnerability allows remote attackers to affect confidentiality and availability via unknown vectors related to `Libraries`.\n", "cvss3": {}, "published": "2019-05-02T04:45:30", "type": "veracode", "title": "Sandbox Restrictions Bypass", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2407"], "modified": "2022-05-13T16:42:19", "id": "VERACODE:14172", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-14172/summary", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2023-04-18T13:49:27", "description": "openjdk is vulnerable to sandbox restrictions bypass. An unspecified vulnerability allows remote attackers to affect availability via unknown vectors related to `Serialization`.\n", "cvss3": {}, "published": "2019-05-02T04:45:31", "type": "veracode", "title": "Sandbox Restrictions Bypass", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2450"], "modified": "2022-05-13T16:47:08", "id": "VERACODE:14182", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-14182/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-04-18T13:05:43", "description": "openjdk is vulnerable to sandbox restrictions bypass. An unspecified vulnerability allows remote attackers to affect confidentiality, integrity, and availability via vectors related to `2D`.\n", "cvss3": {}, "published": "2019-05-02T04:52:33", "type": "veracode", "title": "Sandbox Restrictions Bypass", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1478"], "modified": "2022-05-13T16:39:45", "id": "VERACODE:14497", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-14497/summary", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-04-18T14:22:22", "description": "OpenSSL is vulnerable to timing attacks. It happens because of lack of validation of MAC addresses in constant time during the processing of a malformed CBC padding. It is also known as \"Lucky Thirteen\" issue.\n", "cvss3": {}, "published": "2019-01-15T08:52:54", "type": "veracode", "title": "Timing Side- Channel Attack", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2019-10-10T02:55:37", "id": "VERACODE:10846", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-10846/summary", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-18T16:33:58", "description": "OpenSSL is vulnerable to timing attacks. The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2 doesn't check MAC addresses in constant time during the processing of a malformed CBC padding. This is also known as the \"Lucky Thirteen\" issue.\n", "cvss3": {}, "published": "2017-02-10T05:59:15", "type": "veracode", "title": "Timing Attacks", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2019-10-10T02:55:37", "id": "VERACODE:3568", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-3568/summary", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-18T16:34:07", "description": "OpenSSL is vulnerable to padding oracle attacks. The library does not check if there is enough data in both the MAC hash and padding bytes, allowing an attacker to recover the plain text by using the server as a padding oracle. Note: This vulnerability exists because of an incorrect fix for CVE-2013-0169.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-01-27T03:10:31", "type": "veracode", "title": "Padding Oracle Attack", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2016-2107"], "modified": "2022-12-13T13:43:36", "id": "VERACODE:3347", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-3347/summary", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}], "ibm": [{"lastseen": "2022-09-29T18:27:45", "description": "## Abstract\n\nVulnerability in the Java Runtime Environment component of Oracle Java SE\n\n## Content\n\n**VULNERABILITY DETAILS: ** \n \n \n**DESCRIPTION: ** \n \n**CVE-2013-2407** \nA unspecified vulnerability in the Websphere IBM Java Runtime Environment (JRE) component allows remote attackers to affect the confidentiality and availability of Tivoli Federated Identity Manager (TFIM) and IBM Tivoli Federated Identity Manager Business Gateway TFIMBG) via unknown vectors related to Libraries. \n \nThe attack does not require specialized knowledge or techniques, nor does it require authentication, and network access required. An exploit could impact the confidentiality of information and the availability of the system, but the integrity of data is not compromised. \n \n**CVEID:** \nCVE-2013-2407 \n \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See CVSS Temporal Score: [_https://exchange.xforce.ibmcloud.com/vulnerabilities/85044_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85044>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) \n \n \n**AFFECTED PRODUCTS AND VERSIONS: ** \nTivoli Federated Identity Manager (TFIM): v6.1, 6.1.1, 6.2.0, 6.2.1, 6.2.2 \nTivoli Federated Identity Manager Business Gateway (TFIMBG): v6.1.1, 6.2.0, 6.2.1, 6.2.2 \n \n \n**REMEDIATION: ** \n \nUpgrade your Websphere IBM Java Runtime Environment to a interim fix level as determined below: \n \nFor TFIM and TFIMBG, download and apply the interim fix APARs below, for your appropriate release of Websphere: \n \n\n\nTFIM/TFIMBG Version| Websphere Version| Websphere APAR Interim Fix \n---|---|--- \nTFIM 6.1.1| EWAS 6.1 \nWAS 6.1| PM91296 for SDK 5 \nTFIM 6.2.0| EWAS 6.1 \nWAS 6.1 \nWAS 7.0| PM91296 for SDK 5 \nPM91295 for SDK 6 \nPM91293 for SDK 6.26 \nTFIM 6.2.1| EWAS 6.1 \nWAS 6.1 \nWAS 7.0 \nWAS 8.0 for z/OS| PM91296 for SDK 5 \nPM91295 for SDK 6 \nPM91293 for SDK 6.26 \nTFIM 6.2.2| EWAS 6.1 \nWAS 6.1 \nWAS 7.0 \nWAS 8.0 \nWAS 8.5| PM91296 for SDK 5 \nPM91295 for SDK 6 \nPM91293 for SDK 6.26 \nPM91291 for SDK 7 \nTFIMBG 6.1.1| EWAS 6.1 \nWAS 6.1| PM91296 for SDK 5 \nTFIMBG 6.2.0| EWAS 6.1 \nWAS 6.1 \nWAS 7.0| PM91296 for SDK 5 \nPM91295 for SDK 6 \nPM91293 for SDK 6.26 \nTFIMBG 6.2.1| EWAS 6.1 \nWAS 6.1 \nWAS 7.0 \nWAS 8.0 for z/OS| PM91296 for SDK 5 \nPM91295 for SDK 6 \nPM91293 for SDK 6.26 \nTFIMBG 6.2.2| EWAS 6.1 \nWAS 6.1 \nWAS 7.0 \nWAS 8.0 \nWAS 8.5| PM91296 for SDK 5 \nPM91295 for SDK 6 \nPM91293 for SDK 6.26 \nPM91291 for SDK 7 \n \n \n \n**_Workaround(s):_** \nNone \n \n**_Mitigation(s):_** \nNone \n \n**REFERENCES: ** \n\u00b7 [_Complete CVSS Guide_](<http://www.first.org/cvss/v2/guide>) \n\u00b7 [_On-line Calculator V2_](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)_ _ \n\u00b7 [_CVE-2013-2407_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2407>) \n\u00b7 [_https://exchange.xforce.ibmcloud.com/vulnerabilities/85044_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85044>) \n\u00b7 [_IBM Security Alerts_](<https://www.ibm.com/developerworks/java/jdk/alerts/>) \n \n \n**RELATED INFORMATION: ** \n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n \n \n**ACKNOWLEDGEMENT** \nNone \n \n \n \n \n \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SSZSXU\",\"label\":\"Tivoli Federated Identity Manager\"},\"Business Unit\":{\"code\":\"BU008\",\"label\":\"Security\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"}],\"Version\":\"6.1;6.1.1;6.2;6.2.1;6.2.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}},{\"Product\":{\"code\":\"SS4J57\",\"label\":\"Tivoli Federated Identity Manager Business Gateway\"},\"Business Unit\":{\"code\":\"BU008\",\"label\":\"Security\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"6.1.1;6.1;6.2;6.2.1;6.2.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":null,\"label\":null}}]", "cvss3": {}, "published": "2022-09-25T21:06:56", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway can be affected by vulnerabilities in the Websphere IBM Java Runtime Environment (CVE-2013-2407)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2407"], "modified": "2022-09-25T21:06:56", "id": "F0797625BE52E1B6EE33F6C12876F26D0416949114C3B38ABE4260DAF2DB6011", "href": "https://www.ibm.com/support/pages/node/232459", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2023-06-24T05:57:05", "description": "## Abstract\n\nIf an attacker makes a victim open a specially crafted XML document, it could be possible to conduct denial of service attacks using IBM SPSS Modeler installed on the victim's system.\n\n## Content\n\n**VULNERABILITY DETAILS**\n\n**_CVE ID: CVE-2013-2407_**\n\n \n**DESCRIPTION:** \nIf an attacker makes a victim open a specially crafted XML document, it could be possible to conduct denial of service attacks using IBM SPSS Modeler installed on the victim's system.\n\n \n**CVSS:**\n\nCVSS Base Score: 6.4\n\n \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/85044_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85044>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) \n \n**AFFECTED PLATFORMS: ** \n \n\u00b7 Versions 14 through 15.0 of IBM SPSS Modeler running on all supported platforms are affected. \n \n**REMEDIATION: **The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available. \n \n**_Fix:_** \nFor IBM SPSS Modeler: \n \n\\- [Version 14.2 Fix Pack 3 Interim Fix 020](<http://www.ibm.com/support/docview.wss?uid=swg24035763>) \n\\- [Version 15.0 Fix Pack 2 Interim Fix 011](<http://www.ibm.com/support/docview.wss?uid=swg24035762>) \n \n \n**_Workaround:_** \nNone known; apply fixes. \n \n**_Mitigation:_** \n\u00b7 None known \n\n**REFERENCES: ** \n \n[_\u00b7 ___Complete CVSS Guide__](<http://www.first.org/cvss/v2/guide>) \n[_\u00b7 ___On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)_ _ \n[__\u00b7 X-Force Vulnerability Database__](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85044>) \n\\- [_CVE-2013-2407_](<https://vulners.com/cve/CVE-2013-2407>)\n\n**ACKNOWLEDGEMENT: **\n\n**CHANGE HISTORY: **\n\n\u00b7 _27 September 2013: Original copy published_\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n## Related Information \n\n[Need more help? Our Modeler forum is Live!](<https://developer.ibm.com/answers/topics/modeler/?smartspace=predictive-analytics>)\n\n[{\"Product\":{\"code\":\"SS3RA7\",\"label\":\"IBM SPSS Modeler\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF012\",\"label\":\"IBM i\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"15.0;14.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2022-09-25T21:06:56", "type": "ibm", "title": "Security Bulletin: IBM SPSS Modeler - XML (CVE-2013-2407)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2407"], "modified": "2022-09-25T21:06:56", "id": "3B62C98A59803E5E4423ADB1E9891A3D0549BB751A0F2839E05E54D95917860C", "href": "https://www.ibm.com/support/pages/node/235207", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2023-02-20T21:37:36", "description": "## Summary\n\nPrevious releases of IBM Rational Automation Framework are affected by a vulnerability in Java that may allow remote attackers to execute plaintext-recovery attacks.\n\n## Vulnerability Details\n\n| **Subscribe to My Notifications to be notified of important product support alerts like this.**\n\n * Follow [this link](<https://www.ibm.com/systems/support/myview/subscription/css.wss/subscriptions?methodName=startSearchToSubscribe&uctug_rational_dcfsbblurb_2013-11-05_myn_adoption_promo>) for more information (requires login with your IBM ID) \n---|--- \n \n \n**CVE ID:** [CVE-2013-0169](<https://vulners.com/cve/CVE-2013-0169>) \n** \nDescription: **Unspecified vulnerability in IBM Java Runtime Environment may allow remote attackers to conduct distinguishing attacks and plaintext-recovery via statistical analysis of timing data for crafted packets. \n \nNote that despite the public disclosure, the issue is largely theoretical and very difficult to exploit in real world scenarios. \n_ \n_**CVSS Base Score:** 4.3 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nRational Automation Framework 3.0.1 and earlier on all supported platforms.\n\n## Remediation/Fixes\n\nUpgrade to [Rational Automation Framework Fix Pack 1 (3.0.1.1) for 3.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24035725>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T04:48:04", "type": "ibm", "title": "Security Bulletin: Java Vulnerability in Rational Automation Framework (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2018-06-17T04:48:04", "id": "17F2DE1F272EBF8E1F0E16B3A3D0C121D7F53002360A33B2E318E8910C665E9D", "href": "https://www.ibm.com/support/pages/node/234127", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-09-29T18:27:05", "description": "## Abstract\n\nThe IBM WebSphere Partner Gateway is shipped with an IBM Java SDK that is based on the Oracle SDK. Oracle has released April 2013 critical patch updates (CPU) which contain security vulnerability fixes and the IBM Java SDK that WebSphere Partner Gateway ships is affected.\n\n## Content\n\n**VULNERABILITY DETAILS** \n \nCVE-2013-0169 - The TLS protocol does not properly consider timing side-channel attacks, which could allow remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**DESCRIPTION:** \nThis Security Bulletin addresses the security vulnerabilities that have shipped with the IBM SDK and is part of the Oracle April 2013 critical patch updates (CPU). For details on these updates please refer to the Reference section of this bulletin. \n \n**Versions Affected.** \n \nWebSphere Partner Gateway Express Edition Versions 6.0 through 6.0.0.3 \n \n \n**REMEDIATION: **\n\nWebSphere Application Server JRE has to be updated to 1.4.2 SR13-FP17. Please contact IBM support to avail the IFix.\n\n**REFERENCES: **\n\n* [_IBM Security Alerts_](<http://www.ibm.com/developerworks/java/jdk/alerts>)\n* [_Oracle Java SE Critical Patch Update Advisory - April 2013_](<http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html>)\n* [_Java on IBM i_](<https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en>)\n* [_Complete CVSS Guide _](<http://www.first.org/cvss/v2/guide>)\n* [_On-line Calculator V2_](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n* [_CVE-2013-0169_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169>) [_xforce.iss.net/xforce/xfdb/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>)\n* [_WebSphere Application Server Recommended Fixes Page _](<http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27004980>)\n\n**RELATED INFORMATION: **\n\n \nNone \n \n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SSDKML\",\"label\":\"WebSphere Partner Gateway - Express\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"6.0.0.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}}]", "cvss3": {}, "published": "2022-09-25T21:06:56", "type": "ibm", "title": "Security Bulletin: Potential security vulnerabilities in WebSphere Partner Gateway Express for the Oracle CPU April 2013.", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-25T21:06:56", "id": "476070037D8C6B95A023CADE7B7B8E36D86FE85A0AE9BDFC8D5FB131FC5DB6F9", "href": "https://www.ibm.com/support/pages/node/230325", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-20T21:37:38", "description": "## Summary\n\nSSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)\n\n## Vulnerability Details\n\n| **Subscribe to My Notifications to be notified of important product support alerts like this.**\n\n * Follow [this link](<https://www.ibm.com/systems/support/myview/subscription/css.wss/subscriptions?methodName=startSearchToSubscribe&uctug_rational_dcfsbblurb_2013-11-05_myn_adoption_promo>) for more information (requires login with your IBM ID) \n---|--- \n \n**CVEID:** [CVE-2013-0169](<https://vulners.com/cve/CVE-2013-0169>)\n\n \n \n**Description:** \nA weakness in the handling of CBC cipher suites in SSL, TLS and DTLS exploits timing differences arising during MAC processing. OpenSSL versions affected include 1.0.1c, 1.0.0j and 0.9.8x. \n\n**Note: ** This vulnerability is only partially mitigated when OpenSSL is used in conjunction with the OpenSSL FIPS Object Module and the FIPS mode of operation is enabled.\n\n \n \n**CVSS Base Score:** 4.3 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902> for the current score. \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Rational Build Forge version 8.0 and all earlier versions.\n\n## Remediation/Fixes\n\nUpgrade to [Rational Build Forge Fix Pack 1 (8.0.0.1) for 8.0](<http://www.ibm.com/support/docview.wss?uid=swg24035921>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T04:47:31", "type": "ibm", "title": "Security Bulletin: Rational Build Forge Security Advisory (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2018-06-17T04:47:31", "id": "B2A692687E0D397416E3549B4377E5B3319BF086A451607250B307F6DEECCF53", "href": "https://www.ibm.com/support/pages/node/231539", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T17:45:45", "description": "## Summary\n\nThe Lucky Thirteen attack is a cryptographic timing attack against implementations of the Transport Layer Security (TLS) protocol that use the CBC mode of operation. An attacker could perform main in the middle attacks to successfully obtain plain text from the secure channel. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nTNPM Wireline| 1.4.0 \nTNPM Wireline| 1.4.1 \nTNPM Wireline| 1.4.2 \nTNPM Wireline| 1.4.3 \nTNPM Wireline| 1.4.4 \nTNPM Wireline| 1.4.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by WebSphere Application Server shipped with Tivoli Netcool Performance Manager for Wireline.\n\n<https://www.ibm.com/support/pages/node/227769>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2020-05-07T04:56:20", "type": "ibm", "title": "Security Bulletin: A security vulnerability in IBM Websphere affects IBM Tivoli Netcool Performance Manager for Wireline (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-0169"], "modified": "2020-05-07T04:56:20", "id": "FFCC3373408F02CC542763623853BD92D404CF7A56813566A2A692A6EC5C572D", "href": "https://www.ibm.com/support/pages/node/6206785", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-24T05:56:35", "description": "## Abstract\n\nPotential Security Exposure with IBM HTTP Server for WebSphere Application Server\n\n## Content\n\n**VULNERABILITY DETAILS: **\n\n**CVE ID: ****_CVE-2013-0169 (PM85211) _**** \n \nDESCRIPTION: **The TLS protocol in the GSKIT component of the IBM HTTP Server does not properly consider timing side-channel attacks, which could allow a remote attacker to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue. ** \n \nCVSS:** _ \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) _for the current score \nCVSS Environmental Score*: Undefined \nCVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N)_** \n \nAFFECTED VERSIONS: **This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and bundling products: \n\u00b7 Version 8.5 \n\u00b7 Version 8 \n\u00b7 Version 7 \n\u00b7 Version 6.1 \n\n**REMEDIATION: **The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical \n\n**_Fix:_** Apply a Fix Pack or PTF containing this APAR PM85211, as noted below: \n\n**For affected versions of IBM HTTP Server for WebSphere Application Server:**\n\n**For V8.5.0.0 through 8.5.0.2 Full Profile:**\n\n* Apply Interim Fix [PM85211](<http://www-01.ibm.com/support/docview.wss?uid=swg24035061>)\n \n\\--OR-- \n* Apply Fix Pack 8.5.5.0 or later.\n\n** For V8.0.0.0 through 8.0.0.6:**\n\n* Apply Interim Fix [PM85211](<http://www-01.ibm.com/support/docview.wss?uid=swg24035061>)\n \n\\--OR-- \n* Apply Fix Pack 8.0.0.7 or later.\n* \n**For V7.0.0.0 through 7.0.0.27:**\n* Apply Interim Fix [PM85211](<http://www-01.ibm.com/support/docview.wss?uid=swg24035061>)\n \n\\--OR-- \n* Apply Fix Pack 7.0.0.29 or later.\n \n \n**For V6.1.0.0 through 6.1.0.45:**\n* Apply Interim Fix [PM85211](<http://www-01.ibm.com/support/docview.wss?uid=swg24035061>)\n \n\\--OR-- \n* Apply Fix Pack 6.1.0.47 or later.\n\n\u00b7 **_Workaround(s):_** None \n \n\u00b7 **_Mitigation(s):_** None\n\n \n \n**Important note: **IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www-03.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. \n \n \nFor additional details and information on WebSphere Application Server product updates: \n* For Distributed, see [_Recommended fixes for WebSphere Application Server._](<http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980>)\n* For z/OS, see [_APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS_](<http://www.ibm.com/support/docview.wss?uid=swg27006970>). \n \n\n\n**REFERENCES:**_ \n_[](<https://www-304.ibm.com/support/docview.wss?uid=swg21496117&wv=1>)[_\u00b7 ___Complete CVSS Guide__](<https://www.first.org/cvss/v2/guide>)_ _[](<http://www.first.org/cvss/cvss-guide.html>)_ __ \n_[_\u00b7 ___On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)_ _[](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)_ _ \n[](<https://www-304.ibm.com/support/docview.wss?uid=swg21496117&wv=1>)[_\u00b7 ___CVE-2013-0169__](<https://vulners.com/cve/CVE-2013-0169>)[](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-xxxx>)[](<http://www.first.org/cvss/cvss-guide.html>)_ _[_xforce.iss.net/xforce/xfdb/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>)_ __ \n_\n\n \n \n \n\n\n**CHANGE HISTORY:** \n\u00b7 _30 May 2013: Original copy published_\n\n \n \n \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n**_ \nNote: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SSEQTP\",\"label\":\"WebSphere Application Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"8.5;8.0;7.0;6.1\",\"Edition\":\"Base;Developer;Express;Network Deployment\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSEQTJ\",\"label\":\"IBM HTTP Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Base Server\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"8.5;8.0;7.0;6.1\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2022-09-25T23:13:40", "type": "ibm", "title": "Security Bulletin: Potential Security Exposure in IBM HTTP Server CVE-2013-0169 PM85211", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-25T23:13:40", "id": "3F34D8EA25B1CFED1F77BE0A29D70083D293CF0532267E430A4F453410CE1576", "href": "https://www.ibm.com/support/pages/node/491407", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-09-29T18:26:02", "description": "## Abstract\n\nCVE-2013-0169 - The Transport Layer Security protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue. \n\n## Content\n\n**VULNERABILITY DETAILS: ** \n \n**DESCRIPTION: ** \n \n**CVE-2013-0169** \nA weakness in the handling of cipher-block chaining (CBC) ciphersuites in Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) could lead to plaintext recovery of sensitive information by exploiting timing differences arising during message authentication codes (MAC) processing. The CVSS score is based on IBM X-Force rankings, which sets the access complexity for this vulnerability as Medium. \n \nThe attack does not require local network access nor does it require authentication, but some degree of specialized knowledge and techniques are required. An exploit may have a limited impact on the confidentiality of information but neither the integrity of data nor the availability of the system would be compromised.** \n \n** \n**CVEID:** \nCVE-2013-0169 \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902> \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**AFFECTED PRODUCTS AND VERSIONS: ** \nIBM Tivoli Key Lifecycle Manager v1, v2 and v2.0.1 \n \n \n**REMEDIATION: ** \nApply the latest Interim Fix for the Websphere Application Server (WAS) v6.1 used with Tivoli Key Lifecycle Manager: \n[_PM87524: SHIP SDK 5 SR16 FP2 FOR WSAS V6.1.0.X_](<http://www-01.ibm.com/support/docview.wss?uid=swg24034996>) \n \nMore information on this Interim Fix can be found in the following security bulletin: \n \n[_Security Bulletin: WebSphere Application Server - Oracle CPU April 2013_](<http://www-01.ibm.com/support/docview.wss?uid=swg21635983&myns=swgws&mynp=OCSSEQTP&mync=E>) \n \n \n \n**_Workaround(s):_** \nNone \n \n**_Mitigation(s):_** \nNone \n \n**REFERENCES: ** \n[\u00b7 __Complete CVSS Guide__](<http://www.first.org/cvss/v2/guide>) \n[\u00b7 __On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)_ _ \n[\u00b7 __CVE-2013-0169__](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169>) \n[\u00b7 _https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \n[\u00b7 _PM87524: SHIP SDK 5 SR16 FP2 FOR WSAS V6.1.0.X_](<http://www-01.ibm.com/support/docview.wss?uid=swg24034996>) \n[\u00b7 _Security Bulletin: WebSphere Application Server - Oracle CPU April 2013_](<http://www-01.ibm.com/support/docview.wss?uid=swg21635983&myns=swgws&mynp=OCSSEQTP&mync=E>) \n \n \n \n**RELATED INFORMATION: ** \n[\u00b7 _IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[\u00b7 _IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n \n**ACKNOWLEDGEMENT** \nNone \n \n \n \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SSWPVP\",\"label\":\"IBM Security Key Lifecycle Manager\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"1.0;2.0;2.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {}, "published": "2022-09-25T23:13:40", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Key Lifecycle Manager can be affected by a vulnerability in the IBM Java Runtime Environment (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-25T23:13:40", "id": "511A2CEA23CFB8B15C62F78EE3A158E3C8F986D7D0E152D292B641365BBD08F1", "href": "https://www.ibm.com/support/pages/node/496033", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-09-29T18:27:35", "description": "## Abstract\n\nIBM DB2 Recovery Expert for Linux, UNIX and Windows uses the IBM Java Runtime Environment (JRE) and is affected by a vulnerability issue in the IBM JRE.\n\n## Content\n\n**VULNERABILITY DETAILS:** \n \n**CVE ID: **CVE-2013-0169 \n \n**DESCRIPTION: ** \nThe TLS protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue. \n \n** CVSS:**\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [**_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_**](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n--- \n \n**AFFECTED PRODUCTS: ** \n \nIBM DB2 Recovery Expert for Linux, UNIX, and Windows version 3.1.0.0 through 4.1.0.0 \n \n**REMEDIATION:** \n \n**VENDOR FIX: ** \n \nDB2 Recovery Expert V4.1.0 \n \nInstall Interim Fix 1 (4.1.0.0_IF1) \n \nDB2 Recovery Expert V3.1.0 \n \nYou must replace the IBM JRE that is installed with IBM DB2 Recovery Expert with the latest IBM JRE. Detailed instructions are provided in the technote \u201cUpdating the JRE for DB2 Recovery Expert for Linux, UNIX and Windows. See <http://www-01.ibm.com/support/docview.wss?uid=swg21644942> \n \nFor further assistance contact IBM Technical Support. \n \n**WORKAROUND: ** \nNone \n \n**MITIGATION:** \nNone \n \n**REFERENCES:** \n[_On-line Calculator V2_](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>) \n[_X-Force Vulnerability Database_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \n[_CVE-2013-0169_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169>) \n \n \n \n**RELATED INFORMATION: ** \n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n \n**CHANGE HISTORY: ** \n**_07/25/2013: Original version published_** \n \n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash._ \n_ _ \n_Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SS8QJD\",\"label\":\"DB2 Recovery Expert for Linux, UNIX and Windows\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"4.1.0;3.1.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2022-09-25T21:06:56", "type": "ibm", "title": "Security Bulletin: DB2 Recovery Expert for Linux, UNIX and Windows affected by vulnerability in IBM Java JRE (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-25T21:06:56", "id": "61C29B2018A4B8DC7247FEB87D67D749F5AB58D20D16FB7F0426B1B9762B49FF", "href": "https://www.ibm.com/support/pages/node/228889", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-20T21:35:22", "description": "## Summary\n\nIBM Rational ClearCase includes an IBM Java SDK that is based on the Oracle JDK. Oracle has released April 2013 critical patch updates (CPU) which contain security vulnerability fixes and the IBM Java SDK has been updated to incorporate those updates.\n\n## Vulnerability Details\n\n| **Subscribe to My Notifications to be notified of important product support alerts like this.**\n\n * Follow [this link](<https://www.ibm.com/systems/support/myview/subscription/css.wss/subscriptions?methodName=startSearchToSubscribe&uctug_rational_dcfsbblurb_2013-11-05_myn_adoption_promo>) for more information (requires login with your IBM ID) \n---|--- \n \n**CVE ID:** [CVE-2013-0169](<https://vulners.com/cve/CVE-2013-0169>) \n \n**Description:** The TLS protocol does not properly consider timing side-channel attacks, which could allow remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue. \n \n**CVSS Base Score:** 4.3 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902> \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector: **(AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nRational ClearCase, Remote Client, 7.1 through 7.1.2.11, 8.0 through 8.0.0.7, and 8.0.1 \n \n**Note:** The vulnerability only affects ClearCase Remote Client. \n\n * If your deployment does not use ClearCase Remote Client, it is _not vulnerable_. \n * If your deployment does not use SSL (https) between ClearCase Remote Client and CM Server or CCRC WAN Server, it is _not vulnerable_.\n\n## Remediation/Fixes\n\nUpgrade to one of the below versions of IBM Rational ClearCase: \n\n\n * [Rational ClearCase Fix Pack 1 (8.0.1.1) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24035657>)\n * [Rational ClearCase Fix Pack 8 (8.0.0.8) for 8.0](<http://www.ibm.com/support/docview.wss?uid=swg24035655>)\n * [Rational ClearCase Fix Pack 12 (7.1.2.12) for 7.1.2](<http://www.ibm.com/support/docview.wss?uid=swg24035653>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Rational ClearCase (Java component) with potential for TLS Attack (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2018-07-10T08:34:12", "id": "9767587F564D9C9625F74EB5AC595ABB7605EE6BA3253E7CAEBC767879A17130", "href": "https://www.ibm.com/support/pages/node/232887", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-20T21:37:35", "description": "## Summary\n\nThe IBM GSKit component used in Rational RequisitePro is susceptible to a Transport Layer Security protocol vulnerability known as \"Lucky Thirteen.\" The vulnerability might allow remote attackers to conduct distinguishing and plain-text recovery attacks by statistically analyzing timing data for crafted packets.\n\n## Vulnerability Details\n\n| **Subscribe to My Notifications to be notified of important product support alerts like this.**\n\n * Follow [this link](<https://www.ibm.com/systems/support/myview/subscription/css.wss/subscriptions?methodName=startSearchToSubscribe&uctug_rational_dcfsbblurb_2013-11-05_myn_adoption_promo>) for more information (requires login with your IBM ID) \n---|--- \n \n**CVEID: **[CVE-2013-0169](<https://vulners.com/cve/CVE-2013-0169>) \n \n**Description: **The IBM GSKit component used in Rational RequisitePro is susceptible to a Transport Layer Security protocol (used in HTTPS) vulnerability known as \"Lucky Thirteen.\" The vulnerability might allow remote attackers to conduct distinguishing and plain-text recovery attacks by statistically analyzing timing data for crafted packets. \n \nThe IBM GSKit is used if RequisitePro is configured to use LDAP authentication using SSL. If your RequisitePro deployment is not using LDAP configured with SSL, then your deployment is not sensitive to this attack when authenticating to the LDAP server. \n \n**CVSS Base Score:** 4.3 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector: **(AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nRational RequisitePro 7.1.1.x \nRational RequisitePro 7.1.2.x \nRational RequisitePro 7.1.3.7 and previous versions \nRational RequisitePro 7.1.4.0\n\n## Remediation/Fixes\n\nUpgrade to one of the below versions of IBM Rational RequisitePro \n\n * 7.1.4.x: [Rational RequisitePro Fix Pack 1 (7.1.4.1) for 7.1.4](<http://www.ibm.com/support/docview.wss?uid=swg24035667>)\n * 7.1.3.x: [Rational RequisitePro Fix Pack 8 (7.1.3.8) for 7.1.3](<http://www.ibm.com/support/docview.wss?uid=swg24035666>)\n * 7.1.2.x: Upgrade to 7.1.3.8 or 7.1.4.1\n * 7.1.1.x: Upgrade to 7.1.3.8 or 7.1.4.1\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T04:48:08", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Rational RequisitePro with a potential for a TLS attack (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2018-06-17T04:48:08", "id": "3258D879016CCEB97F8F543943D502B2C423771C5D452641CB88919F035248B5", "href": "https://www.ibm.com/support/pages/node/234337", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-09-29T21:26:04", "description": "## Abstract\n\nDownload an update to the TS3400 Tape Library, which contains a newer version of OpenSSL that fixes certain security vulnerabilities that were present in older versions of OpenSSL.\n\n## Content\n\n**VULNERABILITY DETAILS: ** \n \n**DESCRIPTION: ** \nA security vulnerability was found in OpenSSL version 1.0.1c (along with other earlier versions). For a complete list of OpenSSL Vulnerabilities by version, please refer to: [_http://www.openssl.org/news/vulnerabilities.html_](<http://www.openssl.org/news/vulnerabilities.html>) \n \nThe IBM TS3400 tape library firmware has been updated to contain a newer version of OpenSSL. \n \n**CVEID: **CVE-2013-0169 \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/81902_](<http://xforce.iss.net/xforce/xfdb/81902>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**AFFECTED PRODUCTS AND VERSIONS: ** \nAll TS3400 tape libraries with firmware versions lower than 0040. \n \n**REMEDIATION: ** \nThe recommended solution involves applying the fix, which is contained in firmware version 0040 and above. The fix remediates the vulnerability by updating OpenSSL to version 1.0.1d. \n \n**Fix:** \nApply firmware version 0040 or later, available from IBM Fix Central [_http://www-933.ibm.com/support/fixcentral/_](<http://www-933.ibm.com/support/fixcentral/>) \n \n**Workaround(s):** \nNone \n \n**Mitigation(s):** \nConnect the library directly to a workstation or private network that is trusted (i.e., access to the workstation or network is controlled or limited to persons that would all have administrator privileges or persons that can be trusted not to attempt to hack into the library). \n \n**REFERENCES**\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/v2/guide>)\n * [__On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)_ _\n * [__CVE-2013-0169____ __](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169>)\n * _X-Force Vulnerability Database_ [_http://xforce.iss.net/xforce/xfdb/81902_](<http://xforce.iss.net/xforce/xfdb/81902>)\n * **RELATED INFORMATION: ** \n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n \n**ACKNOWLEDGEMENT** \nNone \n \n**CHANGE HISTORY** \n14 June 2013: Original Copy Published \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"STCDUHL\",\"label\":\"Tape systems-\\u003ETS3400 Tape Library (3577)\"},\"Business Unit\":{\"code\":\"BU054\",\"label\":\"Systems w\\/TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Not Applicable\",\"Edition\":\"Standard\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {}, "published": "2022-09-26T04:23:14", "type": "ibm", "title": "Security Bulletin: IBM TS3400 Tape Library update for security vulnerabilities in OpenSSL (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-26T04:23:14", "id": "C53887B5065E8CBF2E75B8207E4CC5546F907715375F0C60DDEEACFD8829F5D5", "href": "https://www.ibm.com/support/pages/node/689221", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T05:56:37", "description": "## Abstract\n\nGSKit is used by IBM DB2 for SSL support. The version of GSKit iused by DB2 is vulnerable to the \u201cLucky Thirteen\u201d security vulnerability. By default, DB2 does not use SSL for client-server communication and therefore DB2 is vulnerable only if SSL is enabled.\n\n## Content\n\n**VULNERABILITY DETAILS** \n \n \n**CVE ID: CVE-2013-0169** \n \n**Description:** \n \nThe Transport Layer Security protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue. \n \nThe attack does not require local network access nor does it require authentication, but some degree of specialized knowledge and techniques are required. An exploit may impact the confidentiality of information but the integrity of data, or the availability of the system would not be compromised. \n \n \n**CVSS:** \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**AFFECTED PLATFORMS:** \n \nThe following IBM DB2 and DB2 Connect V9.1, V9.5, V9.7 and V10.1 editions running on AIX, Linux, HP, Solaris and Windows. \n \nIBM\u00ae DB2\u00ae Express Edition \nIBM\u00ae DB2\u00ae Workgroup Server Edition \nIBM\u00ae DB2\u00ae Enterprise Server Edition \nIBM\u00ae DB2\u00ae Advanced Enterprise Server Edition \nIBM\u00ae DB2\u00ae Connect\u2122 Application Server Edition \nIBM\u00ae DB2\u00ae Connect\u2122 Enterprise Edition \nIBM\u00ae DB2\u00ae Connect\u2122 Unlimited Edition for System i\u00ae \nIBM\u00ae DB2\u00ae Connect\u2122 Unlimited Edition for System z\u00ae \n \nThe following IBM V9.8 editions running on AIX and Linux: \n \nIBM\u00ae DB2\u00ae pureScale\u2122 Feature for Enterprise Server Edition \n \n \n**REMEDIATION: ** \n \nThe recommended solution is to apply the appropriate fix for this vulnerability. \n \n \n**FIX:** \nThe fix for this vulnerability is available for download for DB2 and DB2 Connect release V9.7 FP9 and V10.1 FP3a/FP4. \n \nFor DB2 and DB2 Connect V9.5 and V9.8, the fix is planned to be made available in future fix packs. \n \nDB2 and DB2 Connect V9.1 are no longer supported and therefore no patch will be made available. Please upgrade to a supported version of DB2 or DB2 Connect, as applicable, and apply the fix. Customers who have an extended support contract for this version may contact support to request a fix under the terms of their contract. \n \nA special build with an interim patch for this issue may be requested for DB2 and DB2 Connect V9.5 FP9 & FP10 and V9.8 FP5. Please contact your service representative to request the special build and reference the APAR number for the release you want. \n\n\n \n**Release**| **APAR**| **Download URL** \n---|---|--- \nV9.5 | [_IC90385_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IC90385>)| Not available. Please contact technical support. \nV9.7 FP9 | [_IC90395_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IC90395>)| <http://www.ibm.com/support/docview.wss?uid=swg24036646> \nV9.8| [_IC90396_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IC90396>)| Not available. Please contact technical support. \nV10.1 FP3a| [_IC90397_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IC90397>)| <http://www.ibm.com/support/docview.wss?uid=swg24037557> \nV10.1 FP4| [_IC90397_](<http://www-01.ibm.com/support/docview.wss?uid=swg1IC90397>)| <http://www.ibm.com/support/docview.wss?uid=swg24037466> \n \n \n \n**Contact Technical Support:**\n\nIn the United States and Canada dial **1-800-IBM-SERV** \nView the support [_contacts for other countries_](<http://www.ibm.com/planetwide/>) outside of the United States. \nElectronically [_open a Service Request_](<http://www.ibm.com/software/data/db2/support/db2_9/probsub.html>) with DB2 Technical Support. \n\n \n \n \n\n\n**WORKAROUND:**\n\nNone.\n\n \n\n\n**MITIGATION:**\n\nNone.\n\n \n \n \n**REFERENCES**: \n[\uf0b7__Complete CVSS v2 Guide__](<http://www.first.org/cvss/v2/guide>) \n[\uf0b7__On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>) \n[\uf0b7__X-Force Vulnerability Database - 81902__](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \n[\uf0b7__CVE-2013-0169__](<https://vulners.com/cve/CVE-2013-0169>) \n \n \n[](<http://www.appsecinc.com/resources/alerts/>) \n**CHANGE HISTORY: ** \nMay 31, 2013: Original version published. \nDecember 16, 2013: Added V9.7 FP9 download URL. \nMarch 19, 2014: Updated V10.1 special build fix pack level to FP2 & FP3. \nJune 6, 2014: Updated V10.1 FP3a and FP4 download URL. \n \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS_ \n \n**_Note:_**_ IBM\u2019s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM\u2019s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion._\n\n[{\"Product\":{\"code\":\"SSEPGG\",\"label\":\"Db2 for Linux, UNIX and Windows\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"Security \\/ Plug-Ins - Security Vulnerability\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"9.8;9.7;9.5;9.1;10.1\",\"Edition\":\"Advanced Enterprise Server;Enterprise Server;Express;Express-C;Personal;Workgroup Server\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}},{\"Product\":{\"code\":\"SSEPDU\",\"label\":\"Db2 Connect\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud \\u0026 Data Platform\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2022-09-25T23:13:40", "type": "ibm", "title": "Security Bulletin: IBM DB2 is impacted by a vulnerability in the IBM GSKit library (CVE-2013-0169).", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-25T23:13:40", "id": "AD3DEE6A50AC4F6651955CE510E56DC0170683854BF573E9389CCA2769B638B1", "href": "https://www.ibm.com/support/pages/node/494939", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-20T21:37:36", "description": "## Summary\n\nThe IBM GSKit component used in Rational ClearQuest is susceptible to a Transport Layer Security protocol vulnerability known as \"Lucky Thirteen.\" The vulnerability might allow remote attackers to conduct distinguishing and plain-text recovery attacks by statistically analyzing timing data for crafted packets.\n\n## Vulnerability Details\n\n| **Subscribe to My Notifications to be notified of important product support alerts like this.**\n\n * Follow [this link](<https://www.ibm.com/systems/support/myview/subscription/css.wss/subscriptions?methodName=startSearchToSubscribe&uctug_rational_dcfsbblurb_2013-11-05_myn_adoption_promo>) for more information (requires login with your IBM ID) \n---|--- \n \n**CVE ID:** [CVE-2013-0169](<https://vulners.com/cve/CVE-2013-0169>) \n \n**Description: **The IBM GSKit component used in Rational ClearQuest is susceptible to a Transport Layer Security protocol (used in HTTPS) vulnerability known as \"Lucky Thirteen.\" The vulnerability might allow remote attackers to conduct distinguishing and plain-text recovery attacks by statistically analyzing timing data for crafted packets. \n \nThe IBM GSKit is used if ClearQuest is configured to use LDAP authentication using SSL. If your ClearQuest deployment is not using LDAP configured with SSL, then your deployment is not sensitive to this attack when authenticating to the LDAP server. \n \n**CVSS Base Score:** 4.3 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nRational ClearQuest Web 7.1 through 7.1.2.10, 8.0 through 8.0.0.7, and 8.0.1\n\n## Remediation/Fixes\n\nUpgrade to one of the below versions of IBM Rational ClearQuest \n\n * [Rational ClearQuest Fix Pack 1 (8.0.1.1) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24035656>)\n * [Rational ClearQuest Fix Pack 8 (8.0.0.8) for 8.0](<http://www.ibm.com/support/docview.wss?uid=swg24035654>)\n * 7.1.2.12: Upgrade to either 8.0.0.8 or 8.0.1.1 [](<http://www.ibm.com/support/docview.wss?&uid=swg24035652>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T04:47:41", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Rational ClearQuest with potential for TLS Attack (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2018-06-17T04:47:41", "id": "BC14F6832E7A855373319126E5CF0A69CAAC1369B245AE25C03158E47AD57D0A", "href": "https://www.ibm.com/support/pages/node/232691", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T05:56:18", "description": "## Abstract\n\nThe Transport Layer Security protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue. \n\n## Content\n\n**VULNERABILITY DETAILS: ** \n \nCVE-2013-0169 \n \n**DESCRIPTION: ** \n \nA weakness in the handling of cipher-block chaining (CBC) ciphersuites in Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) could lead to plaintext recovery of sensitive information by exploiting timing differences arising during message authentication codes (MAC) processing. The CVSS score is based on IBM X-Force rankings, which sets the access complexity for this vulnerability as Medium. \n \nThe attack does not require local network access nor does it require authentication, but some degree of specialized knowledge and techniques are required. An exploit may impact the confidentiality of information but the integrity of data, or the availability of the system would not be compromised. \n \n**CVEID:** \nCVE-2013-0169 \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \nCVSS Environmental Score*: Undefined \n**_CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)_** \n \n \n**AFFECTED PRODUCTS AND VERSIONS: ** \nPRODUCT VERSIONS AFFECTED \n \n\n\nPRODUCT version| GSKit Version \n---|--- \nTivoli Directory Server V6.0 \nTivoli Directory Server V6.1 \nTivoli Directory Server V6.2| GSKit 7.0 \nTivoli Directory Server V6.3| GSKit 8.0 \n \n \n**REMEDIATION: ** \nThe vulnerability is fixed in the following versions of the IBM GSKit libraries. \n\n* GSKit v8 Common Criteria stream build 8.0.14.27\n* GSKit v8 service stream build 8.0.50.4\n* GSKit v7 service stream build 7.0.4.45\n \n \nTivoli Directory Server fixes for entitled customers on Fix Central provide access to the latest GSKit build available as of their publication. \n \nFor access to GSKit 8.0.14.27: \n* [_Upgrade to Tivoli Directory Server 6.3.0.22_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.3.0.22&platform=All&function=all>)\n \n \nFor access to GSKit 7.0.4.45: \n* [_Upgrade to Tivoli Directory Server 6.2.0.30_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.2.0.30&platform=All&function=all>)\n* [_Upgrade to Tivoli Directory Server 6.1.0.55_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.1.0.55&platform=All&function=all>)\n* [_Upgrade to Tivoli Directory Server 6.0.0.72_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.0.0.72&platform=All&function=all>)\n \n \n \n**_Workaround(s):_** \nNone \n \n**_Mitigation(s):_** \nNone \n \n**REFERENCES: **\n* [__Complete CVSS Guide__](<http://www.first.org/cvss/v2/guide>)\n* [__On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n* [__CVE-2013-0169__](<https://vulners.com/cve/CVE-2013-0169>)\n* [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>)\n* [_IBM Security Alerts_](<https://www.ibm.com/developerworks/java/jdk/alerts/>)\n* [_Upgrade to Tivoli Directory Server 6.3.0.22_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.3.0.22&platform=All&function=all>)\n* [_Upgrade to Tivoli Directory Server 6.2.0.30_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.2.0.30&platform=All&function=all>)\n* [_Upgrade to Tivoli Directory Server 6.1.0.55_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.1.0.55&platform=All&function=all>)\n* [_Upgrade to Tivoli Directory Server 6.0.0.72_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Directory+Server&release=6.0.0.72&platform=All&function=all>) \n\n \n \n**RELATED INFORMATION: ** \n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n \n \n**ACKNOWLEDGEMENT** \nNone \n \n \n \n \n \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SSVJJU\",\"label\":\"IBM Security Directory Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"6.0;6.1;6.2;6.3\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {}, "published": "2022-09-26T05:45:55", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Directory Server can be affected by a vulnerability in the IBM GSKit library (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-26T05:45:55", "id": "236329FBB4C57928A51AF5989855EBBE8AEFC2496ED2345E1CE8C703B7EA9BD5", "href": "https://www.ibm.com/support/pages/node/493881", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-09-29T18:25:57", "description": "## Abstract\n\nCVE-2013-0169 - The Transport Layer Security protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue. \n\n## Content\n\n**VULNERABILITY DETAILS: ** \n \n**DESCRIPTION: ** \n \nCVE-2013-0169 \n**The Transport Layer Security protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue. ** \n \nThe attack does not require local network access nor does it require authentication, but some degree of specialized knowledge and techniques are required. An exploit may impact the confidentiality of information but the integrity of data, or the availability of the system would not be compromised. \n \n**CVEID:** \nCVE-2013-0169 \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902> \nCVSS Environmental Score*: Undefined \n**_CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)_** \n \n \n**AFFECTED PRODUCTS AND VERSIONS: ** \nTFIM v6.2, 6.2.1, 6.2.2 \nTFIMBG v6.2, 6.2.1, 6.2.2 \n \n**REMEDIATION: ** \nThe vulnerability is fixed in the following versions of the IBM GSKit libraries. \n \n\u2022 GSKit v7 service stream build 7.0.4.45 \n \nContact your IBM Level 2 support team to obtain the fixed version of the IBM GSKit library. \n \n**_Workaround(s):_** \nNone \n \n**_Mitigation(s):_** \nNone \n \n**REFERENCES: ** \n[\uf0b7 __Complete CVSS Guide__](<http://www.first.org/cvss/v2/guide>) \n[\uf0b7 __On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>) \n[\uf0b7 __CVE-2013-0169__](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169>) \n[\uf0b7 _https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \n[\uf0b7 _IBM Security Alerts_](<https://www.ibm.com/developerworks/java/jdk/alerts/>) \n \n \n**RELATED INFORMATION: ** \n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n \n \n**ACKNOWLEDGEMENT** \nNone \n \n \n \n \n \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._ \n \n\n\n[{\"Product\":{\"code\":\"SSZSXU\",\"label\":\"Tivoli Federated Identity Manager\"},\"Business Unit\":{\"code\":\"BU008\",\"label\":\"Security\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"}],\"Version\":\"6.2;6.2.1;6.2.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}},{\"Product\":{\"code\":\"SS4J57\",\"label\":\"Tivoli Federated Identity Manager Business Gateway\"},\"Business Unit\":{\"code\":\"BU008\",\"label\":\"Security\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.2;6.2.1;6.2.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":null,\"label\":null}}]", "cvss3": {}, "published": "2022-09-25T23:13:40", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Federated Identity Manager and Tivoli Federated Identity Manager Business Gateway can be affected by a vulnerability in the IBM GSKit library (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-25T23:13:40", "id": "76B052C00B7D3B7660A204A6BD72087C4E84FB5E8C7CEA95BE48BBACC2FC5AD0", "href": "https://www.ibm.com/support/pages/node/489993", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-09-29T18:27:29", "description": "## Abstract\n\nIBM InfoSphere Optim Performance Manager uses the IBM Java Runtime Environment (JRE) and is affected by a vulnerability in the IBM JRE.\n\n## Content\n\n \n**VULNERABILITY DETAILS:** \n \n**CVE ID: **CVE-2013-0169 \n \n**DESCRIPTION: ** \nThe TLS protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue. \n \n**CVSS:** \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**AFFECTED PRODUCTS: ** \n \nIBM Optim Performance Manager for DB2 on Linux, UNIX, and Windows version 4.1 through 4.1.1 \n \nIBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows version 5.1 through 5.3 \n \n**REMEDIATION:** \n \n**FIX(ES): ** \n \nYou must replace the IBM JRE that is installed with IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows with the latest IBM JRE. Detailed instructions are provided in the technote _\u201c_[__Updating the IBM JRE for InfoSphere Optim Performance Manager__](<http://www.ibm.com/support/docview.wss?uid=swg21640535>)_\u201d_. \n \n \n**WORKAROUND(S): ** \nNone known. \n \n**MITIGATION(S):** \nNone known. \n \n**REFERENCES:** \n[_Complete CVSS Guide_](<http://www.first.org/cvss/v2/guide>) \n[_On-line Calculator V2_](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>) \n[_X-Force Vulnerability Database_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \n[_CVE-2013-0169_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169>) \n \n \n**RELATED INFORMATION: ** \n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n \n**CHANGE HISTORY: ** \n07-30-2013: Original version published \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SSBH2R\",\"label\":\"InfoSphere Optim Performance Manager for Db2 for Linux, UNIX, and Windows\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"5.3;5.2;5.1.1.1;5.1.1;5.1;4.1.1;4.1.0.1;4.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"SSBH2R\",\"label\":\"InfoSphere Optim Performance Manager for Db2 for Linux, UNIX, and Windows\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":null,\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"4.1.0.1;4.1.1\",\"Edition\":\"Enterprise;Workgroup;Content Manager;Extended\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2022-09-25T21:06:56", "type": "ibm", "title": "Security Bulletin: InfoSphere Optim Performance Manager affected by vulnerability in IBM JAVA JRE (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-25T21:06:56", "id": "540B5BFC7425C0A1AEC2AE0E39CAFAA87610B3C5A51646F532BF2994455918B4", "href": "https://www.ibm.com/support/pages/node/229181", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T05:56:45", "description": "## Abstract\n\nDownload an update to the TS3310 Tape Library, which contains a newer version of OpenSSL that fixes certain security vulnerabilities that were present in older versions of OpenSSL.\n\n## Content\n\n**VULNERABILITY DETAILS: ** \n \n**DESCRIPTION: ** \nA security vulnerability was found in OpenSSL version 1.0.1c (along with other earlier versions). For a complete list of OpenSSL Vulnerabilities by version, please refer to: [_http://www.openssl.org/news/vulnerabilities.html_](<http://www.openssl.org/news/vulnerabilities.html>) \n \nThe IBM TS3310 tape library firmware has been updated to contain a newer version of OpenSSL. \n \n \n**CVEID: **CVE-2013-0169 \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/81902_](<http://xforce.iss.net/xforce/xfdb/81902>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**AFFECTED PRODUCTS AND VERSIONS: ** \nAll TS3310 tape libraries with firmware versions lower than 636G. \n \n \n**REMEDIATION: ** \nThe recommended solution involves applying the fix, which is contained in firmware version 636G and above. The fix remediates the vulnerability by updating OpenSSL to version 1.0.1d. \n \n \n**Fix:** \nApply firmware version 636G or later, available from IBM Fix Central [_http://www-933.ibm.com/support/fixcentral/_](<http://www-933.ibm.com/support/fixcentral/>) \n \n \n**Workaround(s):** \nNone \n \n**Mitigation(s):** \nConnect the library directly to a workstation or private network that is trusted (i.e., access to the workstation or network is controlled or limited to persons that would all have administrator privileges or persons that can be trusted not to attempt to hack into the library). \n \n**REFERENCES**\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/v2/guide>)\n * [__On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)_ _\n * [__CVE-2013-0169____ __](<https://vulners.com/cve/CVE-2013-0169>)\n * _X-Force Vulnerability Database_ [_http://xforce.iss.net/xforce/xfdb/81902_](<http://xforce.iss.net/xforce/xfdb/81902>)\n * \n**RELATED INFORMATION: ** \n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n \n**ACKNOWLEDGEMENT** \nNone \n \n**CHANGE HISTORY** \n17 May 2013: Original Copy Published \n10 June 2013: Updated CVSS Base Score and CVSS Vector \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY_\n\n[{\"Product\":{\"code\":\"STCXRHW\",\"label\":\"TS3310 Tape Library (3576)\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"\",\"label\":\"N\\/A\"}],\"Version\":\"Not Applicable\",\"Edition\":\"N\\/A\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {}, "published": "2022-09-26T04:23:14", "type": "ibm", "title": "Security Bulletin: IBM TS3310 Tape Library update for security vulnerabilities in OpenSSL (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-26T04:23:14", "id": "618A72A7D08892ADCD819AD422F802E0F22DD66F0926AF2D81288E8865A68EFC", "href": "https://www.ibm.com/support/pages/node/689167", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-09-29T18:27:10", "description": "## Abstract\n\nThe IBM WebSphere Partner Gateway is shipped with an IBM Java SDK that is based on the Oracle SDK. The April 2013 Oracle Critical Patch Updates (CPU) contained various security vulnerability fixes for the Oracle JDKs. The IBM Java SDK that WebSphere Partner Gateway ships is similarly affected.\n\n## Content\n\n**VULNERABILITY DETAILS** \n \nCVE-2013-0169 - The TLS protocol does not properly consider timing side-channel attacks, which could allow remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**DESCRIPTION:** \nThis Security Bulletin addresses the security vulnerabilities that have shipped with the IBM SDK and is part of the Oracle April 2013 critical patch updates (CPU). For details on these updates please refer to the Reference section of this bulletin. \n \n**Versions Affected.** \n \nWebSphere Partner Gateway Advanced/Enterprise Edition Versions 6.2 through 6.2.1.2 \n \n \n**REMEDIATION: ** \n \nUpgrade your JAVA SDK and Integrated FTP/SFTP JRE to an interim fix level as determined below. \n \n\n\n**_Fix_**| **_VRMF_**| **_APAR_**| **_How to acquire fix_** \n---|---|---|--- \n_WAS 7.0 IFIX_| _7.0.0.0 through 7.0.0.27 _| PM87521| [_PM87521_](<http://www-01.ibm.com/support/docview.wss?uid=swg24034997>) \n_WAS 6.1 IFIX_| _6.1.0.0 through 6.1.0.45_| PM87524| [_PM87524_](<http://www-01.ibm.com/support/docview.wss?uid=swg24034996>) \n_WPG IFIX_| _6.2.1.2_| JR47328| [JR47328](<http://www.ibm.com/eserver/support/fixes/fixcentral/swg/quickorder?fixes=6.2.1.2-WS-WPG-IFJR47328&productid=WebSphere%20Partner%20Gateway%20Advanced%20Edition&brandid=5>) \n \n \n \n**REFERENCES: **\n* [_IBM Security Alerts_](<http://www.ibm.com/developerworks/java/jdk/alerts>)\n* [_Oracle Java SE Critical Patch Update Advisory - April 2013_](<http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html>)\n* [_Java on IBM i_](<https://www.ibm.com/developerworks/mydeveloperworks/wikis/home?lang=en>)\n* [_Complete CVSS Guide _](<http://www.first.org/cvss/v2/guide>)\n* [_On-line Calculator V2_](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n* [_CVE-2013-0169_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169>) [_xforce.iss.net/xforce/xfdb/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>)\n* [_WebSphere Application Server Recommended Fixes Page _](<http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27004980>)\n \n \n**RELATED INFORMATION: ** \nNone \n \n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SSDKKW\",\"label\":\"WebSphere Partner Gateway Advanced Edition\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.2.1.2\",\"Edition\":\"Advanced;Enterprise\",\"Line of Business\":{\"code\":\"LOB59\",\"label\":\"Sustainability Software\"}}]", "cvss3": {}, "published": "2022-09-25T21:06:56", "type": "ibm", "title": "Security Bulletin: Potential security vulnerabilities in WebSphere Partner Gateway Advanced/Enterprise for the Oracle CPU April 2013.", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-25T21:06:56", "id": "ADCCD07ABE84A7FC8550F577A3823CD6D29F46A50A4065FB573165CDF08E84E1", "href": "https://www.ibm.com/support/pages/node/230323", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-10-01T04:52:18", "description": "## Abstract\n\nDownload an update to the TS2900 Tape Library, which contains a newer version of OpenSSL that fixes certain security vulnerabilities that were present in older versions of OpenSSL.\n\n## Content\n\n**VULNERABILITY DETAILS: ** \n \n**DESCRIPTION: ** \nA security vulnerability was found in OpenSSL version 1.0.1c (along with other earlier versions). For a complete list of OpenSSL Vulnerabilities by version, please refer to: [_http://www.openssl.org/news/vulnerabilities.html_](<http://www.openssl.org/news/vulnerabilities.html>) \n \nThe IBM TS2900 tape library firmware has been updated to contain a newer version of OpenSSL. \n \n \n**CVEID: **CVE-2013-0169 \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_http://xforce.iss.net/xforce/xfdb/81902_](<http://xforce.iss.net/xforce/xfdb/81902>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**AFFECTED PRODUCTS AND VERSIONS: ** \nAll TS2900 tape libraries with firmware versions lower than 0026. \n \n \n**REMEDIATION: ** \nThe recommended solution involves applying the fix, which is contained in firmware version 0026 and above. The fix remediates the vulnerability by updating OpenSSL to version 1.0.1d. \n \n**Fix:** \nApply firmware version 0026 or later, available from IBM Fix Central [_http://www-933.ibm.com/support/fixcentral/_](<http://www-933.ibm.com/support/fixcentral/>) \n \n**Workaround(s):** \nNone \n \n**Mitigation(s):** \nConnect the library directly to a workstation or private network that is trusted (i.e., access to the workstation or network is controlled or limited to persons that would all have administrator privileges or persons that can be trusted not to attempt to hack into the library). \n \n \n**REFERENCES**\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/v2/guide>)\n * [__On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)_ _\n * [__CVE-2013-0169____ __](<https://vulners.com/cve/CVE-2013-0169>)\n * _X-Force Vulnerability Database_ [_http://xforce.iss.net/xforce/xfdb/81902_](<http://xforce.iss.net/xforce/xfdb/81902>)\n * \n**RELATED INFORMATION: ** \n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n \n \n**ACKNOWLEDGEMENT** \nNone \n \n**CHANGE HISTORY** \n07 June 2013: Original Copy Published \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"STCAPQJ\",\"label\":\"TS2900 Tape Autoloader\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Not Applicable\",\"Edition\":\"N\\/A\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {}, "published": "2023-03-26T01:04:50", "type": "ibm", "title": "Security Bulletin: IBM TS2900 Tape Library update for security vulnerabilities in OpenSSL (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2023-03-26T01:04:50", "id": "43B76C333A7576029A83B6169787B1ACB6CA6F7F5FB81FE4498044B211FB42E4", "href": "https://www.ibm.com/support/pages/node/689189", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:54:33", "description": "## Summary\n\nA Number of security vulnerabilities exist in the IBM Cognos Business Intelligence product.\n\n## Vulnerability Details\n\n**VULNERABILITY DETAILS: ** \n \n**CVEID:** [CVE-2013-3030](<https://vulners.com/cve/CVE-2013-3030>) Denial of service attack against servlet gateway \n \n**DESCRIPTION:** \nA malicious user may be send specially crafted HTTP requests to the IBM Cognos Business Intelligence servlet gateway and stop it from accepting further requests for a period of time, effectively causing a denial of service to users of the system. \n \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/84592> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**AFFECTED PRODUCTS AND VERSIONS:** \nIBM Cognos Business Intelligence 10.2.1 and earlier \n \n**REMEDIATION:** \nApply the fix appropriate for your platform and version (see below) \n \n**_Workaround(s) & Mitigation(s):_** \nThis only affects installations that use the Servlet gateway. \n \n \n**CVEID:**[ CVE-2013-4002](<https://vulners.com/cve/CVE-2013-4002>) Apache Xerces-J XML parser Denial of Service attack \n\n \n**DESCRIPTION:** \nA malicious user that is able to send a specially crafted XML document via an HTTP request to the IBM Cognos Business Intelligence server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system. \n \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/85260> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n \n**AFFECTED PRODUCTS AND VERSIONS:** \nIBM Cognos Business Intelligence 10.2.1 and earlier \n \n**REMEDIATION:** \nApply the fix appropriate for your platform and version (see below) \n \n**_Workaround(s) & Mitigation(s): _** \nnone \n \n \n**CVEID:** [CVE-2013-5372](<https://vulners.com/cve/CVE-2013-5372>) Apache Xerces-J XML parser Denial of Service attack \n\n \n**DESCRIPTION:** \nA malicious user that is able to send a specially crafted XML document via an HTTP request to the IBM Cognos Business Intelligence server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/86662> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n \n**AFFECTED PRODUCTS AND VERSIONS:** \nIBM Cognos Business Intelligence 10.2.1 and earlier \n \n**REMEDIATION:** \nApply the fix appropriate for your platform and version (see below) \n \n**_Workaround(s) & Mitigation(s):_** \nnone \n \n \n**CVEID:** [CVE-2013-2407](<https://vulners.com/cve/CVE-2013-2407>) Unspecified vulnerability in the Java Runtime Environment (JRE) component \n\n \n**DESCRIPTION:** \nA malicious user that is able to send a XML document with specially crafted Signature data via an HTTP request to the IBM Cognos Business Intelligence server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system. \n \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/85044> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) \n \n**AFFECTED PRODUCTS AND VERSIONS:** \nIBM Cognos Business Intelligence 10.2.1 and earlier \n \n**REMEDIATION:** \nApply the fix appropriate for your platform and version (see below) \n \n**_Workaround(s) & Mitigation(s):_** \nThis vulnerability is related to the version of Java shipped with IBM Cognos BI Server on Windows. Java is not included on other platforms. User of other platforms, or Windows users that use a version of Java other than the included version, should contact their Java provider for the equivalent fix. \n \n \n**CVEID:** [CVE-2013-2450](<https://vulners.com/cve/CVE-2013-2450>) Unspecified vulnerability in the Java Runtime Environment (JRE) component \n\n \n**DESCRIPTION:** \nA malicious user that is able to send specially crafted data via an HTTP request to the IBM Cognos Business Intelligence server may be able to cause excessive CPU usage, effectively causing a partial denial of service to the system. \n \nCVSS Base Score: 5 \nCVSS Temporal Score: See CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/85057> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**AFFECTED PRODUCTS AND VERSIONS:** \nIBM Cognos Business Intelligence 10.2.1 and earlier \n \n**REMEDIATION:** \nApply the fix appropriate for your platform and version (see below) \n \n**_Workaround(s) & Mitigation(s):_** \nThis vulnerability is related to the version of Java shipped with IBM Cognos BI Server on Windows. Java is not included on other platforms. User of other platforms, or Windows users that use a version of Java other than the included version, should contact their Java provider for the equivalent fix. \n \n \n**CVEID:** [CVE-2013-4034](<https://vulners.com/cve/CVE-2013-4034>) External XML Entity Attack \n\n \n**DESCRIPTION:** \nA malicious user that is able to send specially crafted XML data to the IBM Cognos Business Intelligence server may be able to gain unauthorized access to files from the server. \n \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/86137> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N) \n \n**AFFECTED PRODUCTS AND VERSIONS:** \nIBM Cognos Business Intelligence 10.2.1 and earlier \n \n**REMEDIATION:** \nApply the fix appropriate for your platform and version (see below) \n \n**_Workaround(s) & Mitigation(s):_** \nnone \n \n \n**DOWNLOADS:** \n \n[Cognos 8 Business Intelligence 8.4.1 Interim Fix 3 for Security Exposure](<http://www.ibm.com/support/docview.wss?uid=swg24036377>) \n \n[Cognos Business Intelligence 10.2 and 10.2.1 Interim Fixes for Security Exposure](<http://www.ibm.com/support/docview.wss?uid=swg24036375>) \n \n[Cognos Business Intelligence 10.1 Interim Fixes for Security Exposure](<http://www.ibm.com/support/docview.wss?uid=swg24035869>) \n\n\n## ", "cvss3": {}, "published": "2018-06-15T23:04:50", "type": "ibm", "title": "Security Bulletin: IBM Cognos Business Intelligence (CVE-2013-3030, CVE-2013-4002, CVE-2013-2407, CVE-2013-2450, CVE-2013-4034, CVE-2013-5372)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2407", "CVE-2013-2450", "CVE-2013-3030", "CVE-2013-4002", "CVE-2013-4034", "CVE-2013-5372"], "modified": "2018-06-15T23:04:50", "id": "109B2E937B3A410E66933C6F6054D7A86640DE62C0F3587F9E376863C105A750", "href": "https://www.ibm.com/support/pages/node/498827", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-20T21:35:20", "description": "## Summary\n\nThe IBM GSKit component used in Rational ClearCase is susceptible to a Transport Layer Security protocol (used in HTTPS) vulnerability known as \"Lucky Thirteen.\" The vulnerability might allow remote attackers to conduct distinguishing and plain-text recovery attacks by statistically analyzing timing data for crafted packets.\n\n## Vulnerability Details\n\n| **Subscribe to My Notifications to be notified of important product support alerts like this.**\n\n * Follow [this link](<https://www.ibm.com/systems/support/myview/subscription/css.wss/subscriptions?methodName=startSearchToSubscribe&uctug_rational_dcfsbblurb_2013-11-05_myn_adoption_promo>) for more information (requires login with your IBM ID) \n---|--- \n \n**CVE ID:** [CVE-2013-0169](<https://vulners.com/cve/CVE-2013-0169>) \n \n**Description: **The IBM GSKit component used in Rational ClearCase is susceptible to a Transport Layer Security protocol (used in HTTPS) vulnerability known as \"Lucky Thirteen.\" The vulnerability might allow remote attackers to conduct distinguishing and plain-text recovery attacks by statistically analyzing timing data for crafted packets. \n \nThe IBM GSKit is used if ClearCase on Windows platforms is configured to integrate with IBM Rational ClearQuest with communication over SSL (https). This applies to Base CC/CQ integrations using Change Management Interface (CMI) and to UCM-enabled CQ integration via OSLC. If your ClearCase deployment is not using these integrations with ClearQuest, or not using SSL with the integrations, then your deployment is not sensitive to this attack. The UCM-enabled CQ integration without using OSLC (SQUID) is not sensitive to this attack. \n \nIf your deployment does not use ClearCase on Windows, it is not sensitive to this attack. \n \n**CVSS Base Score:** 4.3 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n\n## Affected Products and Versions\n\nRational ClearCase 7.1 through 7.1.2.11, 8.0 through 8.0.0.7, and 8.0.1\n\n## Remediation/Fixes\n\nUpgrade to one of the below versions of IBM Rational ClearCase \n\n * [Rational ClearCase Fix Pack 1 (8.0.1.1) for 8.0.1](<http://www.ibm.com/support/docview.wss?uid=swg24035657>)\n * [Rational ClearCase Fix Pack 8 (8.0.0.8) for 8.0](<http://www.ibm.com/support/docview.wss?uid=swg24035655>)\n * 7.1.2.12: Upgrade to 8.0.0.8 or 8.0.1.1 [](<http://www.ibm.com/support/docview.wss?&uid=swg24035652>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Rational ClearCase (GSKit component) with potential for TLS Attack (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2018-07-10T08:34:12", "id": "0CA57BDC2A5B29D7A05B000C9F4660CECD108471C93FE144B5B5B7B541E5DB80", "href": "https://www.ibm.com/support/pages/node/232881", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-09-29T18:27:37", "description": "## Abstract\n\nPotential security vulnerabilities exist in the IBM Java SDK that is shipped with the IBM FileNet Business Process Manager.\n\n## Content\n\nThe products that are listed below can be affected by security vulnerabilities as reported by Oracle April 2013 Critical Patch updates: \n \n\u00b7 IBM FileNet Business Process Manager 4.5.1, 5.0.0/5.1.0 \n \n**Vulnerability details: ** \n \nThe following security vulnerabilities exist in the IBM Java SDK shipped with IBM Business Process Manager 4.5.1, 5.0.0/5.1.0 \n \n**CVSS:** \nCVEID: CVE-2013-0169 \nCVSS Base Score: 4.3 \nCVSS Temporal Score: [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**Affected products and versions: ** \nProduct: IBM Business Process Manager 4.5.1, 5.0.0/5.1.0 \u2013 including all fix packs \n \n**Remediation: ** \n \n_Apply the following fixes:_\n\n**_Fix*_**| **_Component-VRMF_**| **_How to acquire fix_** \n---|---|--- \n_4.5.1 interim fix_| _4.5.1.4-P8PE_ \n_4.5.1.2-P8PS_ \n_4.5.1.3-P8PA_| [_4.5.1.4-P8PE-IF002_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet+Product+Family&product=ibm/Information+Management/FileNet+Process+Engine&release=4.5.1.4&platform=All&function=all>) \n[_4.5.1.2-P8PS-IF002_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet+Product+Family&product=ibm/Information+Management/FileNet+Process+Simulator&release=4.5.1.2&platform=All&function=all>) \n[_4.5.1.3-P8PA-IF002_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet+Product+Family&product=ibm/Information+Management/FileNet+Process+Analyzer&release=4.5.1.3&platform=All&function=all>) \n_5.0.0/5.1.0 GA fix pack_| _5.0.0.5-P8PE_ \n_5.0.0.2-P8PS_ \n_5.0.0.4-P8CA_| [_5.0.0.5-P8PE-FP005_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet+Product+Family&product=ibm/Information+Management/FileNet+Process+Engine&release=5.0.0.0&platform=All&function=all>) \n[_5.0.0.2-P8PS-FP002_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet+Product+Family&product=ibm/Information+Management/FileNet+Process+Simulator&release=5.0.0.0&platform=All&function=all>) \n[_5.0.0.4-P8CA-FP004_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet+Product+Family&product=ibm/Information+Management/Case+Analyzer&release=5.0.0.3&platform=All&function=all>) \n \nNote: BPM 5.0 and BPM 5.1 are patched by the same 5.0.0.x patch streams. \n \n**_Workaround(s):_** \n**None** \n \n**_Mitigation(s):_** \n**None** \n \n**References: ** \n[__Complete CVSS Guide__](<http://www.first.org/cvss/v2/guide>)_ _ \n[__On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>) \n[_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \n \n \n**Related information: ** \n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n\n\n_*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SSNW2F\",\"label\":\"FileNet P8 Platform\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Process Engine\",\"Platform\":[{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"5.1;5.0;4.5.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2022-09-25T21:06:56", "type": "ibm", "title": "Security Bulletin: IBM FileNet Business Process Manager \u2013 Oracle Critical Patch Updates April 2013 (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-25T21:06:56", "id": "C43295EDCDB671C41F9E96483F5E89378A947A89F40869B467F309DBF973E6B7", "href": "https://www.ibm.com/support/pages/node/231021", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-09-29T18:26:30", "description": "## Abstract\n\nThe IBM JRE that is embedded in the InfoSphere Data Replication Dashboard has a security vulnerability that affects SSL connections to the dashboard web server.\n\n## Content\n\n**VULNERABILITY**** DETAILS:** \n \n**CVE ID: CVE-2013-0169** \n \n**DESCRIPTION: **The TLS protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks by using statistical analysis of timing data for crafted packets, also known as the \"Lucky Thirteen\" issue. \n \n**CVSS:** \nCVSS Base Score: 4.3 \n_CVSS Temporal Score: See _[__https://exchange.xforce.ibmcloud.com/vulnerabilities/81902__](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>)_ for the current score CVSS Environmental Score*: Undefined_ \n_CVSS Vector: ___(AV:N/AC:H/Au:N/C:P/I:N/A:N)__ \n \n**AFFECTED PRODUCTS:** \nVersions 10.2, 10.1 and 9.7 of InfoSphere Data Replication Dashboard are affected. \n \n**REMEDIATION:** \nThe recommended solution is to upgrade the product to the latest version. \n \n**FIX:** \nThe vulnerability fixes require upgrading the product to version 10.2.1.0-b343 or higher. Download the latest version of InfoSphere Data Replication Dashboard from [_http://www-01.ibm.com/support/docview.wss?uid=swg24023065_](<http://www-01.ibm.com/support/docview.wss?uid=swg24023065>) \n \n**WORKAROUND:** \nNone known. \n \n**MITIGATION:** \nNone known. \n \n**REFERENCES:** \n[_On-line Calculator V2_](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>) \n[_X-Force Vulnerability Database_](<http://xforce.iss.net/>) \n[_CVE-2013-0169_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169>) \n \n**RELATED INFORMATION: ** \n[_IBM Secure Engineering Web Portal_](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>)** ** \n \n**CHANGE HISTORY**: \n25-Oct-2013: Original version published \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SSDP5R\",\"label\":\"InfoSphere Replication Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Monitoring\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"10.1;10.2;9.7\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2022-09-25T22:39:39", "type": "ibm", "title": "Security Bulletin: InfoSphere Data Replication Dashboard is affected by a vulnerability in the IBM JRE (CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2022-09-25T22:39:39", "id": "C4FDDC1384D8FD0DDE8B004DBBC87A757834460AE92B55B9C87335F27F45968F", "href": "https://www.ibm.com/support/pages/node/500021", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T05:56:45", "description": "## Abstract\n\nSecurity Bulletin: Multiple IBM Java SDK security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4002 and CVE-2013-2407)\n\n## Content\n\n**SUMMARY: ** \n \nIBM Information Server is impacted by security vulnerabilities in the IBM Java Runtime Environment (JRE) that affect availability and confidentiality. \n \n**VULNERABILITY DETAILS: ** \n \n**CVE ID: **[**_CVE-2013-4002_**](<https://vulners.com/cve/CVE-2013-4002>)** ** \n \n**DESCRIPTION:** \nA denial of service vulnerability in the Apache Xerces-J parser used by IBM Java could result in a complete availability impact. \n \n**CVSS:** \nCVSS Base Score: 7.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/85260_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85260>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n \n**CVE ID: **[**_CVE-2013-2407_**](<https://vulners.com/cve/CVE-2013-2407>)** ** \n \n**DESCRIPTION:** \nAn unspecified vulnerability in IBM Java related to the Java Runtime Environment Libraries component has partial confidentiality impact, no integrity impact, and partial availability impact. \n \n**CVSS:** \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/85044_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85044>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) \n \n \n**AFFECTED PRODUCTS: ** \nIBM InfoSphere Information Server Versions 8.0, 8.1, 8.5, 8.7, and 9.1 running on all platforms \n\n**REMEDIATION: **\n\n**_Fix(es):_** \nVersions 8.0, 8.1 \n\\--Contact IBM customer support.\n\n \n \nVersion 8.5: \n\\--Apply IBM InfoSphere Information Server version [_8.5 Fix Pack 3_](<http://www-01.ibm.com/support/docview.wss?uid=swg24033513>) \n\\--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is8503_JR47880_security_all*>) \n \nVersion 8.7: \n\\--Apply IBM InfoSphere Information Server version [_8.7 Fix Pack 2_](<http://www-01.ibm.com/support/docview.wss?uid=swg24034359>) \n\\--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is8702_JR47880_security_all*>) \n \nVersion 9.1: \n\\--Apply IBM InfoSphere Information Server version [_9.1.2.0_](<http://www-01.ibm.com/support/docview.wss?uid=swg24035470>) \n\\--Apply the IBM InfoSphere Information Server Information Services Framework (ISF) [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is91_JR47880_security_all*>) \n \n \n**_Workaround(s) & MITIGATION(s):_** None known, apply fixes \n \n \n**REFERENCES: ** \n[\uf0b7 _Complete CVSS v2 Guide_](<http://www.first.org/cvss/v2/guide>) \n[\uf0b7 _On-line Calculator V2_](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>) \n \n \n**RELATED INFORMATION: ** \n\u00b7 [_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n \n \n**ACKNOWLEDGEMENT: **None \n \n \n**CHANGE HISTORY: ** \n06-DEC-2013 Original copy published \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SSZJPZ\",\"label\":\"IBM InfoSphere Information Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"9.1;8.7;8.5;8.1;8.0.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2022-09-25T23:09:27", "type": "ibm", "title": "Security Bulletin: Multiple IBM Java SDK security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4002 and CVE-2013-2407)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2407", "CVE-2013-4002"], "modified": "2022-09-25T23:09:27", "id": "CB8C3B738F38745C5B57C0DA3F05DADCF513EF6086091B71D291C2300F0DCD7D", "href": "https://www.ibm.com/support/pages/node/505571", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-23T21:53:00", "description": "## Summary\n\nIBM Systems Director contains a version of IBM Java SDK that contained vulnerabilities CVE-2013-0169, CVE-2013-4002.\n\n## Vulnerability Details\n\n## Abstract\n\nIBM Systems Director contains a version of IBM Java SDK that contained vulnerabilities CVE-2013-0169, CVE-2013-4002.\n\n## Content\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2013-0169](<https://vulners.com/cve/CVE-2013-0169>)\n\n**Description:** Allows Remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue.\n\nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/81902> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVE-ID:** [CVE-2013-4002](<https://vulners.com/cve/CVE-2013-4002>)\n\n**Description:** The XML Parser that is shipped with the IBM Java SDK is vulnerable to a denial of service attack.\n\nCVSS Base Score: 7.1 \nCVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/85260> for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)\n\n## Affected products and versions\n\nFrom the IBM System Director command line enter **smcli lsver** to determine the level of IBM System Director installed.\n\nIBM Systems Director: 5.2.x, 6.1.x.x, 6.2.x.x, 6.3.x.x\n\n## Remediation:\n\nUpgrade to IBM systems Director 6.3.5, or open a PMR with support to request an APAR. Emergency fix may be provided where technically feasible.\n\nTo upgrade, visit [ Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Director&product=ibm/Director/SystemsDirector&release=6.3&platform=All&function=all>) and select SysDir6_3_5_<Platform> update package for IBM Systems Director.\n\n## Workaround(s) & Mitigation(s):\n\nNone\n\n## References:\n\n * [Complete CVSS Guide](<http://www.first.org/cvss/cvss-guide.html>)\n * [On-line Calculator V2](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>)\n\n**Acknowledgement**\n\nNone\n\n**Change History** \n13 November 2014: Original Copy Published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.\n\nNote: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {}, "published": "2019-01-31T01:30:01", "type": "ibm", "title": "Security Bulletin: IBM Systems Director (ISD) is affected by vulnerabilities in the IBM Java SDK (CVE-2013-0169, CVE-2013-4002)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.1, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-4002"], "modified": "2019-01-31T01:30:01", "id": "635552E99951D8D5AEBD584BBE0C8D1EBBAE770AEE83BA96CDC88B692C2A1891", "href": "https://www.ibm.com/support/pages/node/865554", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-23T21:52:57", "description": "## Summary\n\nIBM Systems Director is shipped as a component of IBM Systems Director Editions. Information about a security vulnerability affecting IBM Systems Director has been published in a security bulletin.\n\n## Vulnerability Details\n\n## Abstract\n\nIBM Systems Director is shipped as a component of IBM Systems Director Editions. Information about a security vulnerability affecting IBM Systems Director has been published in a security bulletin.\n\n## Content\n\n**Vulnerability Details:**\n\nPlease consult the [ security bulletin](<http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096564>) for vulnerability details.\n\n## Affected products and versions\n\nPrincipal Product and Version(s) | Affected Supporting Product and Version \n---|--- \nIBM Systems Director Editions 6.2.0.0 | IBM Systems Director 6.2.0.0 \nIBM Systems Director Editions 6.2.1.0 | IBM Systems Director 6.2.1.0 \nIBM Systems Director Editions 6.3.0.0 | IBM Systems Director 6.3.0.0 \nIBM Systems Director Editions 6.3.2.0 | IBM Systems Director 6.3.2.0 \n \n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/PSIRT>)\n\n**Change History** \n11 November 2014: Original Copy Published\n\n## ", "cvss3": {}, "published": "2019-01-31T01:30:01", "type": "ibm", "title": "Security Bulletin: Security vulnerability has been identified in IBM Systems Director shipped with IBM Systems Director Editions (CVE-2013-0169, CVE-2013-4002)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-4002"], "modified": "2019-01-31T01:30:01", "id": "8FB0EF2BC912FEF8086EDA6A85F6EADBA8F6FD58431B3D97965CB05312955112", "href": "https://www.ibm.com/support/pages/node/865556", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-29T18:27:35", "description": "## Abstract\n\nMultiple security vulnerabilities exist in the IBM Java SDK/JREs that are shipped with IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor product.\n\n## Content\n\n \n**VULNERABILITY DETAILS: ** \n \n \n**DESCRIPTION: ** \nThe IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor product ships with IBM Java SDK/JREs The IBM Java SDK/JREs are based on the Oracle version of the SDK/JRE. In February 2013, Oracle has released critical patch updates (CPU) that contain security vulnerability fixes. These issues are present in the IBM JDK/JREs that are shipped with the System Monitor product. \n \n**CVEID: **CVE-2013-0440 \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81799_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81799>) \nfor the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID: **CVE-2013-0169 \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**AFFECTED PRODUCTS AND VERSIONS: ** \nThe following versions of the System Monitor product are potentially affected: \n \nIBM FileNet System Monitor v4.5.0 \nIBM Enterprise Content Management System Monitor v5.1.0 \n \n \n**REMEDIATION: ** \n \n**For IBM FileNet System Monitor v4.5.0:** \n \nUpgrade to the platform specific version of the IBM SDK/JRE that is available in IBM FileNet System Monitor v4.5.0 Fix Pack 3. \n \n**For IBM Enterprise Content Management System Monitor v5.1.0:** \n \nUpgrade to the platform specific version of the IBM SDK/JRE that is available in IBM Enterprise Content Management System Monitor v5.1.0 Fix Pack 1. \n \n \nIf you need further assistance, please contact IBM Support. \n \n \n**REFERENCES: ** \n[](<https://www-304.ibm.com/support/docview.wss?uid=swg21496117&wv=1>)[\u00b7 __Complete CVSS Guide__](<http://www.first.org/cvss/v2/guide>) \n[\u00b7 __On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)_ _ \n[\u00b7 __CVE-2013-0440____ __](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE--2013-0440>) \n[\u00b7 __CVE-2013-0169__](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE--2013-0169>) \n\u00b7 _X-Force Vulnerability Database _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/81799_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81799>) \n\u00b7 _X-Force Vulnerability Database _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \n[\u00b7 _Security Bulletin: WAS - Oracle CPU Feb 2013_](<http://www.ibm.com/support/docview.wss?uid=swg21627634>) \n[\u00b7 _Updated Release of Oracle Java SE CPU Advisory Feb 2013_](<http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html>) \n \n**RELATED INFORMATION: ** \n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n \n**CHANGE HISTORY** \n12 July, 2013: Original Copy Published \n \n \n\n\n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SSEM9N\",\"label\":\"Enterprise Content Management System Monitor\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"FileNet System Monitor\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"5.1;4.5.0\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {}, "published": "2022-09-25T21:06:56", "type": "ibm", "title": "Security Bulletin: IBM FileNet System Monitor/IBM Enterprise Content Management System Monitor is potentially affected by vulnerabilities in IBM Java SDK/JRE", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-0440"], "modified": "2022-09-25T21:06:56", "id": "7BA745D5E73DB0357EF4DBFC0D8A2DB4DA2A4CEC7B1D7138B96712A2B403839C", "href": "https://www.ibm.com/support/pages/node/226907", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T05:41:22", "description": "## Summary\n\nTransport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects TPF Toolkit. \n\n## Vulnerability Details\n\n**CVE-ID**: [_CVE-2014-8730_](<https://vulners.com/cve/CVE-2014-8730>) \n \n**DESCRIPTION**: Product could allow a remote attacker to obtain sensitive information, caused by the failure to check the contents of the padding bytes when using CBC cipher suites of some TLS implementations. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack to decrypt sensitive information and calculate the plaintext of secure connections. \n \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/99216_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/99216>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n## Affected Products and Versions\n\nTPF Toolkit 3.6.x, 4.0.x, and 4.2.x\n\n## Remediation/Fixes\n\nAll current versions of TPF Toolkit ship JREs that are not impacted by this vulnerability. However, TPF Toolkit provides a Remote System Explorer (RSE) daemon that runs on Linux for System z. This daemon relies on the Java that is installed on that system. Ensure that the Java level currently installed on your Linux for System z system is up to date. The minimum level of Java that is required includes the fix for [vulnerability CVE-2013-0169](<http://www.ibm.com/support/docview.wss?uid=swg1IV37656>).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: TLS padding vulnerability affects TPF Toolkit (CVE-2014-8730)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2014-8730"], "modified": "2018-08-03T04:23:43", "id": "69F32F166EB30A983D321FEF01D6359F9C720CB30502BC0DC1A0C7C9E4BECE5F", "href": "https://www.ibm.com/support/pages/node/522689", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:47:28", "description": "## Summary\n\nOpenSSL Security Advisory updates Feb 2013: GSKit Lucky 13 TLS CBC Timing Attack - CVE-2013-0169. \nA vulnerability in relation to Session ID Lengths and SSL/TLS Server has been discovered that impacts GSKit - CVE-2012-2190. \nOpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key - CVE-2013-0166 \n\n## Vulnerability Details\n\nGSKit advisories: **(CVE-2013-0169), (CVE-2012-2190) and (CVE-2013-0166)** \n \n \n**_VULNERABILITY DETAILS: _** \n** \nCVEID: **[**_CVE-2012-2190_**](<https://vulners.com/cve/CVE-2012-2190>)** \n**CVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/75994> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n**DESCRIPTION: **IBM Global Security Kit (aka GSKit), as used in IBM HTTP Server in IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.45, 7.0.x before 7.0.0.25, 8.0.x before 8.0.0.4, and 8.5.x before 8.5.0.1, allows remote attackers to cause a denial of service (daemon crash) via a crafted ClientHello message in the TLS Handshake Protocol. \n \n \n**CVE ID: **[**_CVE-2013-0166_**](<https://vulners.com/cve/CVE-2013-0166>) \nCVSS:Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81904> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n**Description: **OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key. \n \nCVEID: [**_CVE-2013-0169_**](<https://vulners.com/cve/CVE-2013-0169>) \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902> \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n**Description:** The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue. \n\n\n## Affected Products and Versions\n\nTivoli Network Manager 3.8 and 3.9** \n**\n\n## Remediation/Fixes\n\nTivoli Network Manager 3.8 FP7 released in 3Q2013 and 3.9 FP4 released in April 2014 contains fixes for following GSKit advisories: \nCVE-2012-2190 CVE-2013-0169 and CVE-2013-0166. \n**REMEDIATION: **Users can go to the following location and download the Fix packs available from Tivoli Network Manager to remediate the issue. \n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \n_ITNM_| _3.8.0.7_| _IV47446_| **_<http://www-01.ibm.com/support/docview.wss?uid=swg24030251>_** \n_ITNM_| _3.9.0.4 _| _IV55034_| **_<http://www-01.ibm.com/support/docview.wss?uid=swg24034724>_** \n \n## ", "cvss3": {}, "published": "2018-06-17T14:37:51", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Network Manager - GSKit Security Vulnerabilities (CVE-2013-0169), (CVE-2012-2190) and (CVE-2013-0166)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2190", "CVE-2013-0166", "CVE-2013-0169"], "modified": "2018-06-17T14:37:51", "id": "3B57923CAB505EF521BBA172A4E2D8A03F9751E11D84F9D7571E2F66E3F439C9", "href": "https://www.ibm.com/support/pages/node/243401", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-09-29T18:26:05", "description": "## Abstract\n\nPotential security vulnerabilities exist in the IBM Java SDK that is shipped with the IBM OmniFind Enterprise Edition and IBM Content Analytics and products.\n\n## Content\n\nThe products listed below may be affected by security vulnerabilities reported by Oracle\u2019s February 2013 Critical Patch Updates: \n\n\n* IBM OmniFind Enterprise Edition \n* IBM Content Analytics\n* IBM Content Analytics with Enterprise Search\n* \n \n**VULNERABILITY DETAILS: ** \n \nCVE-2013-0440 - Unspecified vulnerability in Java Runtime Environment allows remote attackers to affect availability via vectors related to JSSE. \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81799>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81799>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \nCVE-2013-0443 - Unspecified vulnerability in Java Runtime Environment allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. \nCVSS Base Score: 4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81801>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81801>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N) \n \nCVE-2013-0169 - The TLS protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, also known as the \"Lucky Thirteen\" issue. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>) \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n**AFFECTED PRODUCTS AND VERSIONS: **\n* Product: IBM OmniFind Enterprise Edition, Version(s): V9.1 through V9.1.0.4 \n* Product: IBM Content Analytics, Version(s): V2.2 through V2.2.0.3\n* Product: IBM Content Analytics with Enterprise Search, Version(s): V3.0 through V3.0.0.2\n \n \n**REMEDIATION: ** \n \nApply the Following Fixes: **_Fix*_**| **_VRMF_**| **_How to acquire fix_** \n---|---|--- \n_Interim Fix_| _V9.1.0.4_| [__www.ibm.com/support/fixcentral__](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise+Content+Management&product=ibm/Information+Management/IBM+OmniFind+Enterprise+Edition&release=9.1.0.4&platform=All&function=fixId&fixids=9.1.0.4-IS-OEE-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n_Interim Fix_| _V2.2.0.3_| [__www.ibm.com/support/fixcentral__](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise+Content+Management&product=ibm/Information+Management/IBM+Cognos+Content+Analytics&release=2.2.0.3&platform=All&function=fixId&fixids=2.2.0.3-IS-ICA-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n_Fix Pack_| _V3.0.0.3_| [__www.ibm.com/support/docview.wss?uid=swg24035445__](<http://www.ibm.com/support/docview.wss?uid=swg24035445>) \n \n \n**_Workaround(s):_** \nRecommend customers apply the fixes listed above. \n \n**_Mitigation(s):_** \n**None.** \n \n**REFERENCES: **\n* [](<https://www-304.ibm.com/support/docview.wss?uid=swg21496117&wv=1>)[__Complete CVSS Guide__](<http://www.first.org/cvss/v2/guide>)\n* [__On-line Calculator V2__](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)_ _\n* [_CVE-2013-0440_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0440>)\n* [_CVE-2013-0443_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0443>)\n* [_CVE-2013-0169_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169>)\n* _X-Force Vulnerability Database_\n* [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81799_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81799>)\n* [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81801_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81801>)\n* [_https://exchange.xforce.ibmcloud.com/vulnerabilities/81902_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>)\n \n \n \n**RELATED INFORMATION: ** \n[_IBM Secure Engineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n\n\n_*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _\n\n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SS5RWK\",\"label\":\"Content Analytics with Enterprise Search\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud \\u0026 Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"3.0;2.2\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}},{\"Product\":{\"code\":\"SS5SQ7\",\"label\":\"OmniFind Enterprise Edition\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"\",\"label\":\"Linux on System z\"}],\"Version\":\"9.1\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2022-09-25T23:13:40", "type": "ibm", "title": "Security Bulletin: IBM OmniFind Enterprise Edition and IBM Content Analytics \u2013 Oracle Critical Patch Updates February 2013 (CVE-2013-0440, CVE-2013-0443, CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-0440", "CVE-2013-0443"], "modified": "2022-09-25T23:13:40", "id": "5791D1CE1402BA2CCCB885DE108E94B6A0D7E17C594791D10D2118C7AD239041", "href": "https://www.ibm.com/support/pages/node/496295", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2022-09-29T18:26:11", "description": "## Abstract\n\nThe IBM Smart Analytics System 1050 for Linux, IBM Smart Analytics System 2050 for Linux, IBM InfoSphere Balanced Warehouse C Class for Linux, IBM InfoSphere Balanced Warehouse D5100, and IBM Smart Analytics System 5600 systems are shipped with SUSE Linux Enterprise Server Edition operating system software. A number of security vulnerabilities have been identified in the OpenSSL libraries that are part of the operating system software. Two of the vulnerabilities affect standard functionality of these systems. See the references section for links to the description of each individual vulnerability. \n\n\n## Content\n\n**VULNERABILITY DETAILS** \n \n \n**CVE ID: CVE-2013-0166 ** \nCVSS Base Score: 5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81904> [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score \nCVSS Environmental Score*: Unknown \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVE ID: CVE-2013-0169 ** \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902> [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78764>)for the current score \nCVSS Environmental Score*: Unknown \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) \n \n \n**AFFECTED PRODUCTS AND VERSIONS**: \n \nIBM InfoSphere Balanced Warehouse C3000 for Linux \nIBM InfoSphere Balanced Warehouse C4000 for Linux \nIBM InfoSphere Balanced Warehouse D5100 \nIBM Smart Analytics System 1050 for Linux \nIBM Smart Analytics System 2050 for Linux \nIBM Smart Analytics System 5600 V1 \nIBM Smart Analytics System 5600 V2 \n \n**REMEDIATION:** \n \n**FIXES:** \n \nFind your product in the table below and use the link in the **Download Link** column to find the patch provided by Novell. Access to the patches on the Novell site is restricted and requires a valid Novell license and ID. \n \n \n\n\n**Product**| **Operating System**| **Version**| **Download Link** \n---|---|---|--- \nIBM InfoSphere Balanced Warehouse C3000 for Linux \nIBM InfoSphere Balanced Warehouse C4000 for Linux \nIBM InfoSphere Balanced Warehouse D5100 \nIBM Smart Analytics System 5600 V1| SUSE Linux Enterprise Server 10 SP4| openssl-0.9.8a-18.76.1 \nopenssl-32bit-0.9.8a-18.76.1 \nopenssl-devel-0.9.8a-18.76.1 \nopenssl-devel-32bit-0.9.8a-18.76.1 \nopenssl-doc-0.9.8a-18.76.1| Download [Novell patch 8517](<http://download.novell.com/Download?buildid=xq-d7K2sJHA~>) and install using the [update instructions](<http://www.ibm.com/support/docview.wss?uid=swg21634929>). \nIBM Smart Analytics System 1050 for Linux \nIBM Smart Analytics System 2050 for Linux| SUSE Linux Enterprise Server 11 SP1 or SP2| libopenssl0_9_8-0.9.8j-0.50.1 \nlibopenssl0_9_8-32bit-0.9.8j-0.50.1 \nlibopenssl0_9_8-hmac-0.9.8j-0.50.1 \nlibopenssl0_9_8-hmac-32bit-0.9.8j-0.50.1 \nopenssl-0.9.8j-0.50.1 \nopenssl-doc-0.9.8j-0.50.1| If you are running SLES 11 SP1, update to SLES 11 SP2, and then download [Novell patch 7548](<http://download.novell.com/Download?buildid=v-lZbTlM4PE~>) and install using the [update instructions](<http://www.ibm.com/support/docview.wss?uid=swg21634929>). \n \nIf you are running SLES 11 SP2, download [Novell patch 7548](<http://download.novell.com/Download?buildid=v-lZbTlM4PE~>) and install using the [update instructions](<http://www.ibm.com/support/docview.wss?uid=swg21634929>). \nIBM Smart Analytics System 5600 V2| SUSE Linux Enterprise Server 10 SP4| openssl-0.9.8a-18.76.1 \nopenssl-32bit-0.9.8a-18.76.1 \nopenssl-devel-0.9.8a-18.76.1 \nopenssl-devel-32bit-0.9.8a-18.76.1 \nopenssl-doc-0.9.8a-18.76.1| Download [Novell patch 8517](<http://download.novell.com/Download?buildid=xq-d7K2sJHA~>) and install using the [update instructions](<http://www.ibm.com/support/docview.wss?uid=swg21634929>) \nSUSE Linux Enterprise Server 11 SP2| libopenssl0_9_8-0.9.8j-0.50.1 \nlibopenssl0_9_8-32bit-0.9.8j-0.50.1 \nlibopenssl0_9_8-hmac-0.9.8j-0.50.1 \nlibopenssl0_9_8-hmac-32bit-0.9.8j-0.50.1 \nopenssl-0.9.8j-0.50.1 \nopenssl-doc-0.9.8j-0.50.1| Download [Novell patch 7548](<http://download.novell.com/Download?buildid=v-lZbTlM4PE~>) and install using the [update instructions](<http://www.ibm.com/support/docview.wss?uid=swg21634929>). \n \n \n**WORKAROUND(S): ** \n \nNone. \n \n**MITIGATION(S):** \n \nNone. \n\n \n**REFERENCES:**\n* [Complete CVSS Guide](<http://www.first.org/cvss/v2/guide>)\n* [On-line Calculator V2 ](<http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2>)\n* [CVE-2013-0166](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166>)\n* X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/81904>\n* <http://support.novell.com/security/cve/CVE-2013-0166.html>\n* [CVE-2013-0169](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169>)[](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2131>)\n* X-Force Database: <https://exchange.xforce.ibmcloud.com/vulnerabilities/81902>\n* <http://support.novell.com/security/cve/CVE-2013-0169.html>\n \n \n \n**RELATED INFORMATION:** \n[_IBM Secure En__gineering Web Portal _](<https://www-304.ibm.com/jct03001c/security/secure-engineering/>) \n[_IBM Product Security Incident Response Blog_](<https://www.ibm.com/blogs/PSIRT>) \n \n \n**ACKNOWLEDGEMENT:** \nNone. \n \n \n**CHANGE HISTORY: ** \n25-July-2013: \n\\- Original version published. \n \n26-July-2013: \n\\- Corrected typographical error on the patch number for SLES 11. \n \n \n_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _ \n \n**_Note: _**_According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._\n\n[{\"Product\":{\"code\":\"SSKT3D\",\"label\":\"IBM Smart Analytics System\"},\"Business Unit\":{\"code\":\"BU050\",\"label\":\"BU NOT IDENTIFIED\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"9.5;9.7;10.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"SSKT3D\",\"label\":\"IBM Smart Analytics System\"},\"Business Unit\":{\"code\":\"BU050\",\"label\":\"BU NOT IDENTIFIED\"},\"Component\":\"IBM Smart Analytics System 1050\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"SSKT3D\",\"label\":\"IBM Smart Analytics System\"},\"Business Unit\":{\"code\":\"BU050\",\"label\":\"BU NOT IDENTIFIED\"},\"Component\":\"IBM Smart Analytics System 2050\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"SSFVXC\",\"label\":\"InfoSphere Balanced Warehouse\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud \\u0026 Data Platform\"},\"Component\":\"Balanced Warehouse C Class - C3000\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"SSFVXC\",\"label\":\"InfoSphere Balanced Warehouse\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud \\u0026 Data Platform\"},\"Component\":\"Balanced Warehouse C Class - C4000\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"SSFVXC\",\"label\":\"InfoSphere Balanced Warehouse\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud \\u0026 Data Platform\"},\"Component\":\"Balanced Warehouse D Class - D5100\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"SSKT3D\",\"label\":\"IBM Smart Analytics System\"},\"Business Unit\":{\"code\":\"BU050\",\"label\":\"BU NOT IDENTIFIED\"},\"Component\":\"IBM Smart Analytics System 5600\",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}}]", "cvss3": {}, "published": "2022-09-25T23:13:40", "type": "ibm", "title": "Security Bulletin: IBM Smart Analytics System 1050, 2050, and 5600 and IBM InfoSphere Balanced Warehouse C3000, C4000, and D5100 are affected by vulnerabilities in OpenSSL (CVE-2013-0166, CVE-2013-0169)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2131", "CVE-2013-0166", "CVE-2013-0169"], "modified": "2022-09-25T23:13:40", "id": "F0DE6E4E0B989C212565A180164B3116C1C0A2058857C3A677B778E4539132ED", "href": "https://www.ibm.com/support/pages/node/490371", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdi": [{"lastseen": "2023-10-01T03:37:29", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Java AWT Image Transform library functions. For certain image transformation functions, Java fails to take the 'numBands' into account during the allocation of heap memory and instead uses a static value of 0x4. The allocated memory is later written to inside a loop that uses the 'numBands' value which can result in a memory corruption. This can lead to remote code execution under the context of the current process.", "cvss3": {}, "published": "2013-02-11T00:00:00", "type": "zdi", "title": "Oracle Java AWT Image Transform Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1480"], "modified": "2013-02-11T00:00:00", "id": "ZDI-13-022", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-18T14:23:10", "description": "The version of IBM Tivoli Storage Manager installed on the remote host is 6.3.x prior to 6.3.4.200. It is, therefore, affected by a vulnerability that could allow a remote attacker to perform a statistical timing attack known as 'Lucky Thirteen'.", "cvss3": {}, "published": "2014-08-11T00:00:00", "type": "nessus", "title": "IBM Tivoli Storage Manager Server 6.3.x < 6.3.4.200 Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:ibm:tivoli_storage_manager"], "id": "IBM_TSM_SERVER_6_3_4_200.NASL", "href": "https://www.tenable.com/plugins/nessus/77120", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77120);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\");\n script_bugtraq_id(57778);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"IBM Tivoli Storage Manager Server 6.3.x < 6.3.4.200 Information Disclosure\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote backup service is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of IBM Tivoli Storage Manager installed on the remote host\nis 6.3.x prior to 6.3.4.200. It is, therefore, affected by a\nvulnerability that could allow a remote attacker to perform a\nstatistical timing attack known as 'Lucky Thirteen'.\");\n # http://www-01.ibm.com/support/docview.wss?uid=swg21672363\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9986de60\");\n # https://www.ibm.com/blogs/psirt/ibm-security-bulletin-tivoli-storage-manager-server-gskit-lucky-13-vulnerability-cve-2013-0169/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?002f4534\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM Tivoli Storage Manager 6.3.4.200 or later or disable\nSSL.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/08/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:tivoli_storage_manager\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ibm_tsm_detect.nasl\");\n script_require_keys(\"installed_sw/IBM Tivoli Storage Manager\");\n script_require_ports(\"Services/tsm-agent\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\ninclude(\"install_func.inc\");\n\nport = get_service(svc:\"tsm-agent\",exit_on_fail:TRUE);\nprod = \"IBM Tivoli Storage Manager\";\nget_install_count(app_name:prod, exit_if_zero:TRUE);\ninstall = get_single_install(app_name:prod, port:port);\n\n# Install data\nversion = install[\"version\"];\n# We are only concerned with 6.3 specifically\nif(version !~ \"^6\\.3(\\.|$)\") audit(AUDIT_NOT_LISTEN, prod+\" 6.3\", port);\n\n# See if SSL is on for the port we're checking\nsslon = get_kb_item(\"Transports/TCP/\"+port);\nsslon = (sslon && sslon > ENCAPS_IP);\n\n# Work around is to turn SSL off\nif(!sslon && report_paranoia < 2) audit(AUDIT_LISTEN_NOT_VULN, prod, port);\n\nfix = \"6.3.4.200\";\nif(ver_compare(ver:version,fix:fix,strict:FALSE) < 0)\n{\n\n if(report_verbosity > 0)\n {\n report =\n '\\n Product : ' + prod +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_note(port:port,extra:report);\n } else security_note(port);\n} else audit(AUDIT_LISTEN_NOT_VULN, prod, port);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:22:36", "description": "The remote host appears to be running Ipswitch IMail Server 11.x or 12.x older than version 12.3 and is, therefore, affected by an information disclosure vulnerability due to the included OpenSSL version.\n\nAn error exists related to the SSL/TLS/DTLS protocols, CBC mode encryption and response time. An attacker could obtain plaintext contents of encrypted traffic via timing attacks.", "cvss3": {}, "published": "2014-07-14T00:00:00", "type": "nessus", "title": "Ipswitch IMail Server 11.x / 12.x < 12.3 Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:ipswitch:imail"], "id": "IPSWITCH_IMAIL_12_3.NASL", "href": "https://www.tenable.com/plugins/nessus/76489", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76489);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\");\n script_bugtraq_id(57778);\n script_xref(name:\"CERT\", value:\" 737740\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Ipswitch IMail Server 11.x / 12.x < 12.3 Information Disclosure\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running Ipswitch IMail Server 11.x or\n12.x older than version 12.3 and is, therefore, affected by an\ninformation disclosure vulnerability due to the included OpenSSL\nversion.\n\nAn error exists related to the SSL/TLS/DTLS protocols, CBC mode\nencryption and response time. An attacker could obtain plaintext\ncontents of encrypted traffic via timing attacks.\");\n # https://docs.ipswitch.com/_Messaging/IMailServer/v12.3/ReleaseNotes/index.htm\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9b35fe05\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.imailserver.com/imail-software-upgrades\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20130205.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Ipswitch IMail Server version 12.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ipswitch:imail\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smtpserver_detect.nasl\", \"popserver_detect.nasl\", \"imap4_banner.nasl\");\n script_require_ports(\"Services/smtp\", 25, \"Services/pop3\", 110, \"Services/imap\", 143);\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"imap_func.inc\");\ninclude(\"pop3_func.inc\");\ninclude(\"smtp_func.inc\");\n\nver = NULL;\nservice = NULL;\nsource = NULL;\n\n# - SMTP.\nports = get_kb_list(\"Services/smtp\");\nif (isnull(ports)) ports = make_list(25);\nforeach port (ports)\n{\n if (get_port_state(port) && !get_kb_item('SMTP/'+port+'/broken'))\n {\n banner = get_smtp_banner(port:port);\n # At least keep trying to find a banner\n if (isnull(banner) || strlen(banner) == 0) continue;\n\n if (\" (IMail \" >< banner)\n {\n pat = \"^[0-9][0-9][0-9] .+ \\(IMail ([0-9.]+) [0-9]+-[0-9]+\\) NT-ESMTP Server\";\n matches = egrep(pattern:pat, string:banner);\n if (matches)\n {\n foreach match (split(matches, keep:FALSE))\n {\n item = eregmatch(pattern:pat, string:match);\n if (!isnull(item))\n {\n ver = item[1];\n service = \"SMTP\";\n source = match;\n break;\n }\n }\n }\n if (isnull(ver) && !thorough_tests) audit(AUDIT_SERVICE_VER_FAIL, \"IMail SMTP\", port);\n }\n else\n if (!thorough_tests) audit(AUDIT_NOT_LISTEN, \"IMail SMTP\", port);\n }\n}\n\n# - IMAP.\nif (isnull(ver))\n{\n ports = get_kb_list(\"Services/imap\");\n if (isnull(ports)) ports = make_list(143);\n foreach port (ports)\n {\n if (get_port_state(port))\n {\n banner = get_imap_banner(port:port);\n # At least keep trying to find a banner\n if (isnull(banner) || strlen(banner) == 0) continue;\n\n if (\" (IMail \" >< banner)\n {\n pat = \"IMAP4 Server[^(]+\\(IMail ([0-9.]+) *([0-9]+-[0-9]+)?\\)\";\n matches = egrep(pattern:pat, string:banner);\n if (matches)\n {\n foreach match (split(matches, keep:FALSE))\n {\n item = eregmatch(pattern:pat, string:match);\n if (!isnull(item))\n {\n ver = item[1];\n service = \"IMAP\";\n source = match;\n break;\n }\n }\n }\n if (isnull(ver) && !thorough_tests) audit(AUDIT_SERVICE_VER_FAIL, \"IMail IMAP\", port);\n }\n else\n if (!thorough_tests) audit(AUDIT_NOT_LISTEN, \"IMail IMAP\", port);\n }\n }\n}\n\n# - POP3\nif (isnull(ver))\n{\n ports = get_kb_list(\"Services/pop3\");\n if (isnull(ports)) ports = make_list(110);\n foreach port (ports)\n {\n if (get_port_state(port))\n {\n banner = get_pop3_banner(port:port);\n # At least keep trying to find a banner\n if (isnull(banner) || strlen(banner) == 0) continue;\n\n if (\" (IMail \" >< banner)\n {\n pat = \"NT-POP3 Server .+ \\(IMail ([0-9.]+) [0-9]+-[0-9]+\\)\";\n matches = egrep(pattern:pat, string:banner);\n if (matches)\n {\n foreach match (split(matches, keep:FALSE))\n {\n item = eregmatch(pattern:pat, string:match);\n if (!isnull(item))\n {\n ver = item[1];\n service = \"POP3\";\n source = match;\n break;\n }\n }\n }\n if (isnull(ver) && !thorough_tests) audit(AUDIT_SERVICE_VER_FAIL, \"IMail POP3\", port);\n }\n else\n if (!thorough_tests) audit(AUDIT_NOT_LISTEN, \"IMail POP3\", port);\n }\n }\n}\n\nif (isnull(ver)) audit(AUDIT_SERVICE_VER_FAIL, \"Ipswitch IMail Server\", port);\n\n# There's a problem if the version is < 12.3\nif (\n ver =~ \"^(11|12)\\.\" &&\n ver_compare(ver:ver, fix:'12.3', strict:FALSE) < 0\n)\n{\n if (report_verbosity > 0)\n {\n report = \n '\\n Service : ' + service +\n '\\n Version source : ' + source +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : 12.3' +\n '\\n';\n security_note(port:port,extra:report);\n }\n else security_note(port);\n\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"Ipswitch IMail Server\", port, ver);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:24:16", "description": "A vulnerability exists in the TLS and DTLS protocols that may allow an attacker to recover plaintext from TLS/DTLS connections that use CBC-mode encryption. (CVE-2013-0169)\n\nNote: Stream ciphers, such as RC4, are not vulnerable to this issue.", "cvss3": {}, "published": "2014-10-10T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : TLS/DTLS 'Lucky 13' vulnerability (K14190)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/h:f5:big-ip", "cpe:/h:f5:big-ip_protocol_security_manager"], "id": "F5_BIGIP_SOL14190.NASL", "href": "https://www.tenable.com/plugins/nessus/78142", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K14190.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78142);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\");\n script_bugtraq_id(57778);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"F5 Networks BIG-IP : TLS/DTLS 'Lucky 13' vulnerability (K14190)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"A vulnerability exists in the TLS and DTLS protocols that may allow an\nattacker to recover plaintext from TLS/DTLS connections that use\nCBC-mode encryption. (CVE-2013-0169)\n\nNote: Stream ciphers, such as RC4, are not vulnerable to this issue.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K14190\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K14190.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K14190\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"11.3.0-11.3.0HF1\",\"12.1.0-12.1.0HF1\",\"12.0.0-12.0.0HF3\",\"11.6.1\",\"11.6.0-11.6.0HF7\",\"11.5.2-11.5.4HF1\",\"11.5.1-11.5.1HF10\",\"11.4.1-11.4.1HF10\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"11.4.0-14.0.0\",\"11.3.0HF2\",\"12.1.1-14.0.0\",\"12.1.0HF2\",\"12.0.0HF4\",\"11.6.1HF1\",\"11.6.0HF8\",\"11.5.4HF2\",\"11.5.1HF11\",\"11.4.1HF11\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.1.0-12.1.0HF1\",\"12.0.0-12.0.0HF3\",\"11.6.1\",\"11.6.0-11.6.0HF7\",\"11.5.2-11.5.4HF1\",\"11.5.1-11.5.1HF10\",\"11.4.1-11.4.1HF10\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"11.4.0-14.0.0\",\"12.1.1-14.0.0\",\"12.1.0HF2\",\"12.0.0HF4\",\"11.6.1HF1\",\"11.6.0HF8\",\"11.5.4HF2\",\"11.5.1HF11\",\"11.4.1HF11\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.3.0-11.3.0HF1\",\"11.2.1-11.2.1HF3\",\"11.2.0-11.2.0HF3\",\"11.1.0-11.1.0HF5\",\"11.0.0-11.0.0HF4\",\"10.0.0-10.2.4HF4\",\"12.1.0-12.1.0HF1\",\"12.0.0-12.0.0HF3\",\"11.6.1\",\"11.6.0-11.6.0HF7\",\"11.5.2-11.5.4HF1\",\"11.5.1-11.5.1HF10\",\"11.4.1-11.4.1HF10\",\"11.2.1-11.2.1HF15\",\"10.0.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.4.0-14.0.0\",\"11.3.0HF2\",\"11.2.1HF4\",\"11.2.0HF4\",\"11.1.0HF6\",\"11.0.0HF5\",\"10.2.4HF6\",\"12.1.1-14.0.0\",\"12.1.0HF2\",\"12.0.0HF4\",\"11.6.1HF1\",\"11.6.0HF8\",\"11.5.4HF2\",\"11.5.1HF11\",\"11.4.1HF11\",\"11.2.1HF16\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.3.0-11.3.0HF1\",\"11.2.1-11.2.1HF3\",\"11.2.0-11.2.0HF3\",\"11.1.0-11.1.0HF5\",\"11.0.0-11.0.0HF4\",\"10.0.0-10.2.4HF4\",\"12.1.0-12.1.0HF1\",\"12.0.0-12.0.0HF3\",\"11.6.1\",\"11.6.0-11.6.0HF7\",\"11.5.2-11.5.4HF1\",\"11.5.1-11.5.1HF10\",\"11.4.1-11.4.1HF10\",\"11.2.1-11.2.1HF15\",\"10.0.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.4.0-14.0.0\",\"11.3.0HF2\",\"11.2.1HF4\",\"11.2.0HF4\",\"11.1.0HF6\",\"11.0.0HF5\",\"10.2.4HF6\",\"12.1.1-14.0.0\",\"12.1.0HF2\",\"12.0.0HF4\",\"11.6.1HF1\",\"11.6.0HF8\",\"11.5.4HF2\",\"11.5.1HF11\",\"11.4.1HF11\",\"11.2.1HF16\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.3.0-11.3.0HF1\",\"11.2.1-11.2.1HF3\",\"11.2.0-11.2.0HF3\",\"11.1.0-11.1.0HF5\",\"11.0.0-11.0.0HF4\",\"12.1.0-12.1.0HF1\",\"12.0.0-12.0.0HF3\",\"11.6.1\",\"11.6.0-11.6.0HF7\",\"11.5.2-11.5.4HF1\",\"11.5.1-11.5.1HF10\",\"11.4.1-11.4.1HF10\",\"11.2.1-11.2.1HF15\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.4.0-14.0.0\",\"11.3.0HF2\",\"11.2.1HF4\",\"11.2.0HF4\",\"11.1.0HF6\",\"11.0.0HF5\",\"12.1.1-14.0.0\",\"12.1.0HF2\",\"12.0.0HF4\",\"11.6.1HF1\",\"11.6.0HF8\",\"11.5.4HF2\",\"11.5.1HF11\",\"11.4.1HF11\",\"11.2.1HF16\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.3.0-11.3.0HF1\",\"11.2.1-11.2.1HF3\",\"11.2.0-11.2.0HF3\",\"11.1.0-11.1.0HF5\",\"11.0.0-11.0.0HF4\",\"10.0.0-10.2.4HF4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.4.0-11.6.3\",\"11.3.0HF2\",\"11.2.1HF4\",\"11.2.0HF4\",\"11.1.0HF6\",\"11.0.0HF5\",\"10.2.4HF6\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.3.0-11.3.0HF1\",\"11.2.1-11.2.1HF3\",\"11.2.0-11.2.0HF3\",\"11.1.0-11.1.0HF5\",\"11.0.0-11.0.0HF4\",\"10.0.0-10.2.4HF4\",\"12.1.0-12.1.0HF1\",\"12.0.0-12.0.0HF3\",\"11.6.1\",\"11.6.0-11.6.0HF7\",\"11.5.2-11.5.4HF1\",\"11.5.1-11.5.1HF10\",\"11.4.1-11.4.1HF10\",\"11.2.1-11.2.1HF15\",\"10.0.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.4.0-14.0.0\",\"11.3.0HF2\",\"11.2.1HF4\",\"11.2.0HF4\",\"11.1.0HF6\",\"11.0.0HF5\",\"10.2.4HF6\",\"12.1.1-14.0.0\",\"12.1.0HF2\",\"12.0.0HF4\",\"11.6.1HF1\",\"11.6.0HF8\",\"11.5.4HF2\",\"11.5.1HF11\",\"11.4.1HF11\",\"11.2.1HF16\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.3.0-11.3.0HF1\",\"11.2.1-11.2.1HF3\",\"11.2.0-11.2.0HF3\",\"11.1.0-11.1.0HF5\",\"11.0.0-11.0.0HF4\",\"10.0.0-10.2.4HF4\",\"12.1.0-12.1.0HF1\",\"12.0.0-12.0.0HF3\",\"11.6.1\",\"11.6.0-11.6.0HF7\",\"11.5.2-11.5.4HF1\",\"11.5.1-11.5.1HF10\",\"11.4.1-11.4.1HF10\",\"11.2.1-11.2.1HF15\",\"10.0.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.4.0-14.0.0\",\"11.3.0HF2\",\"11.2.1HF4\",\"11.2.0HF4\",\"11.1.0HF6\",\"11.0.0HF5\",\"10.2.4HF6\",\"12.1.1-14.0.0\",\"12.1.0HF2\",\"12.0.0HF4\",\"11.6.1HF1\",\"11.6.0HF8\",\"11.5.4HF2\",\"11.5.1HF11\",\"11.4.1HF11\",\"11.2.1HF16\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"11.3.0-11.3.0HF1\",\"12.1.0-12.1.0HF1\",\"12.0.0-12.0.0HF3\",\"11.6.1\",\"11.6.0-11.6.0HF7\",\"11.5.2-11.5.4HF1\",\"11.5.1-11.5.1HF10\",\"11.4.1-11.4.1HF10\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"11.4.0-14.0.0\",\"11.3.0HF2\",\"12.1.1-14.0.0\",\"12.1.0HF2\",\"12.0.0HF4\",\"11.6.1HF1\",\"11.6.0HF8\",\"11.5.4HF2\",\"11.5.1HF11\",\"11.4.1HF11\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.3.0-11.3.0HF1\",\"11.2.1-11.2.1HF3\",\"11.2.0-11.2.0HF3\",\"11.1.0-11.1.0HF5\",\"11.0.0-11.0.0HF4\",\"10.0.0-10.2.4HF4\",\"11.3.0\",\"11.2.1-11.2.1HF15\",\"10.2.1-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.4.0-11.4.1\",\"11.3.0HF2\",\"11.2.1HF4\",\"11.2.0HF4\",\"11.1.0HF6\",\"11.0.0HF5\",\"10.2.4HF6\",\"11.2.1HF16\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.3.0-11.3.0HF1\",\"11.2.1-11.2.1HF3\",\"11.2.0-11.2.0HF3\",\"11.1.0-11.1.0HF5\",\"11.0.0-11.0.0HF4\",\"10.0.0-10.2.4HF4\",\"11.3.0\",\"11.2.1-11.2.1HF15\",\"10.2.1-10.2.4\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"11.3.0HF2\",\"11.2.1HF4\",\"11.2.0HF4\",\"11.1.0HF6\",\"11.0.0HF5\",\"10.2.4HF6\",\"11.2.1HF16\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.3.0-11.3.0HF1\",\"11.2.1-11.2.1HF3\",\"11.2.0-11.2.0HF3\",\"11.1.0-11.1.0HF5\",\"11.0.0-11.0.0HF4\",\"10.0.0-10.2.4HF4\",\"11.3.0\",\"11.2.1-11.2.1HF15\",\"10.2.1-10.2.4\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"11.3.0HF2\",\"11.2.1HF4\",\"11.2.0HF4\",\"11.1.0HF6\",\"11.0.0HF5\",\"10.2.4HF6\",\"11.2.1HF16\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_note(port:0, extra:bigip_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:08:58", "description": "The remote host is running a version of IBM Tivoli Directory Server and a version of IBM Global Security Kit (GSKit) that is affected by an information disclosure vulnerability. The Transport Layer Security (TLS) protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets. This type of exploitation is known as the 'Lucky Thirteen' attack.", "cvss3": {}, "published": "2015-01-13T00:00:00", "type": "nessus", "title": "IBM Tivoli Directory Server < 6.0.0.72 / 6.1.0.55 / 6.2.0.30 / 6.3.0.22 with GSKit < 7.0.4.45 / 8.0.14.27 TLS Side-Channel Timing Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:ibm:tivoli_directory_server", "cpe:/a:ibm:global_security_kit"], "id": "TIVOLI_DIRECTORY_SVR_SWG21638270.NASL", "href": "https://www.tenable.com/plugins/nessus/80481", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80481);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\");\n script_bugtraq_id(57778);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"IBM Tivoli Directory Server < 6.0.0.72 / 6.1.0.55 / 6.2.0.30 / 6.3.0.22 with GSKit < 7.0.4.45 / 8.0.14.27 TLS Side-Channel Timing Information Disclosure\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a library installed that is affected by an\ninformation disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of IBM Tivoli Directory Server\nand a version of IBM Global Security Kit (GSKit) that is affected by\nan information disclosure vulnerability. The Transport Layer Security\n(TLS) protocol does not properly consider timing side-channel attacks,\nwhich allows remote attackers to conduct distinguishing attacks and\nplain-text recovery attacks via statistical analysis of timing data\nfor crafted packets. This type of exploitation is known as the 'Lucky\nThirteen' attack.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg21638270\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install the appropriate fix based on the vendor's advisory :\n\n - 6.0.0.72-ISS-ITDS\n - 6.1.0.55-ISS-ITDS\n - 6.2.0.30-ISS-ITDS\n - 6.3.0.22-ISS-ITDS\n\nAlternatively, upgrade GSKit to 7.0.4.45 or 8.0.50.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-0169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:tivoli_directory_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:global_security_kit\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ibm_gskit_installed.nasl\", \"tivoli_directory_svr_installed.nasl\");\n script_require_keys(\"installed_sw/IBM GSKit\", \"installed_sw/IBM Security Directory Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\ntds_name = \"IBM Security Directory Server\";\ntds_install = get_single_install(app_name:tds_name, exit_if_unknown_ver:TRUE);\n\ntds_ver = tds_install['version'];\ntds_path = tds_install['path'];\n\ntds_fix = NULL;\ntds_patch = NULL;\ngsk_ver_regex = NULL;\ngsk_fix = NULL;\n\n# Ensure that TDS version is affected.\nif (tds_ver =~ \"^6\\.0\\.\")\n{\n tds_fix = \"6.0.0.72\";\n tds_patch = \"6.0.0.72-ISS-ITDS\";\n gsk_ver_regex = \"^7\\.\";\n gsk_fix = '7.0.4.45';\n}\nelse if (tds_ver =~ \"^6\\.1\\.\")\n{\n tds_fix = \"6.1.0.55\";\n tds_patch = \"6.1.0.55-ISS-ITDS\";\n gsk_ver_regex = \"^7\\.\";\n gsk_fix = '7.0.4.45';\n}\nelse if (tds_ver =~ \"^6\\.2\\.\")\n{\n tds_fix = \"6.2.0.30\";\n tds_patch = \"6.2.0.30-ISS-ITDS\";\n gsk_ver_regex = \"^7\\.\";\n gsk_fix = '7.0.4.45';\n}\nelse if (tds_ver =~ \"^6\\.3\\.0($|[^0-9])\")\n{\n tds_fix = \"6.3.0.22\";\n tds_patch = \"6.3.0.22-ISS-ITDS\";\n gsk_ver_regex = \"^8\\.\";\n gsk_fix = '8.0.14.27 / 8.0.50.4';\n}\n\n# If the IF has been installed or the branch is not affected, exit.\nif (isnull(tds_fix) || ver_compare(ver:tds_ver, fix:tds_fix, strict:FALSE) >= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, tds_name, tds_ver, tds_path);\n\n# If we got this far, we need to look at GSKit.\ngsk_app = \"IBM GSKit\";\n\n# We don't bother to exit if we can't detect any GSKit installations\ngsk_installs = get_installs(app_name:gsk_app);\ngsk_report = NULL;\ngsk_vuln = 0;\n\nforeach gsk_install (gsk_installs[1])\n{\n gsk_ver = gsk_install['version'];\n gsk_path = gsk_install['path'];\n\n # There can only be a single install per major version. So we will\n # have at most one vulnerable install.\n if (gsk_ver !~ gsk_ver_regex) continue;\n\n if (\n (gsk_ver =~ \"^8\\.0\\.50\\.\"\n && ver_compare(ver:gsk_ver, fix:\"8.0.50.4\", strict:FALSE) == -1) ||\n (gsk_ver =~ \"^8\\.0\\.14\\.\"\n && ver_compare(ver:gsk_ver, fix:\"8.0.14.27\", strict:FALSE) == -1) ||\n (gsk_ver =~ \"^7\\.0\\.\"\n && ver_compare(ver:gsk_ver, fix:\"7.0.4.45\", strict:FALSE) == -1)\n )\n {\n gsk_report +=\n '\\n Path : ' + gsk_path +\n '\\n Installed GSKit Version : ' + gsk_ver +\n '\\n Fixed GSKit Version : ' + gsk_fix +\n '\\n';\n\n gsk_vuln++;\n }\n}\n\nport = get_kb_item('SMB/transport');\nif (!port) port = 445;\n\nif (report_verbosity > 0)\n{\n report =\n '\\nThe install of ' + tds_name + ' is vulnerable :' +\n '\\n' +\n '\\n Path : ' + tds_path +\n '\\n Installed version : ' + tds_ver +\n '\\n Fixed version : ' + tds_fix +\n '\\n' +\n '\\nInstall ' + tds_patch + ' to update installation.' +\n '\\n';\n\n if (!isnull(gsk_report))\n {\n instance = \" instance \"; is_are = \" is \";\n\n if (gsk_vuln > 1) {instance = \" instances \"; is_are = \" are \";}\n\n report +=\n '\\nAlso, the following vulnerable'+instance+'of '+gsk_app+is_are+'installed on the'+\n '\\nremote host :' +\n '\\n' +\n gsk_report;\n }\n\n security_note(port:port, extra:report);\n}\nelse security_note(port);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T14:22:22", "description": "The version of IBM HTTP Server running on the remote host is affected by a vulnerability. The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the 'Lucky Thirteen' issue.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-12-15T00:00:00", "type": "nessus", "title": "IBM HTTP Server 8.5.0.0 <= 8.5.0.2 / 8.0.0.0 <= 8.0.0.6 / 7.0.0.0 <= 7.0.0.27 / 6.1.0.0 <= 6.1.0.45 (491407)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:ibm:http_server"], "id": "IBM_HTTP_SERVER_491407.NASL", "href": "https://www.tenable.com/plugins/nessus/144298", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(144298);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\");\n script_bugtraq_id(57778);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"IBM HTTP Server 8.5.0.0 <= 8.5.0.2 / 8.0.0.0 <= 8.0.0.6 / 7.0.0.0 <= 7.0.0.27 / 6.1.0.0 <= 6.1.0.45 (491407)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of IBM HTTP Server running on the remote host is affected by a vulnerability. The TLS protocol 1.1 and 1.2\nand the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider\ntiming side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows\nremote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing\ndata for crafted packets, aka the 'Lucky Thirteen' issue.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.ibm.com/support/pages/node/491407\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to IBM HTTP Server version 8.5.5.0, 8.0.0.7, 7.0.0.29, 6.1.0.47 or later. Alternatively, upgrade to the minimal\nfix pack level required by the interim fix and then apply Interim Fix PI09443.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-0169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:http_server\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ibm_http_server_nix_installed.nbin\");\n script_require_keys(\"installed_sw/IBM HTTP Server (IHS)\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp = 'IBM HTTP Server (IHS)';\nfix = 'Interim Fix PI09443';\n\napp_info = vcf::get_app_info(app:app);\nvcf::check_granularity(app_info:app_info, sig_segments:4);\n\n if ('PI09443' >< app_info['Fixes'])\n audit(AUDIT_INST_VER_NOT_VULN, app);\n\nconstraints = [\n { 'min_version' : '8.5.0.0', 'max_version' : '8.5.0.2', 'fixed_display' : '8.5.5.0 or Interim Fix PI09443'},\n { 'min_version' : '8.0.0.0', 'max_version' : '8.0.0.6', 'fixed_display' : '8.0.0.7 or Interim Fix PI09443'},\n { 'min_version' : '7.0.0.0', 'max_version' : '7.0.0.27', 'fixed_display' : '7.0.0.29 or Interim Fix PI09443'},\n { 'min_version' : '6.1.0.0', 'max_version' : '6.1.0.45', 'fixed_display' : '6.1.0.47 or Interim Fix PI09443'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:37:51", "description": "The version of IBM Global Security Kit (GSKit) installed on the remote host is 7.0.x prior to 7.0.4.45 or 8.0.14.x prior to 8.0.14.27.\nIt is, therefore, affected by an information disclosure vulnerability.\nThe Transport Layer Security (TLS) protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets. This type of exploitation is known as the 'Lucky Thirteen' attack.", "cvss3": {}, "published": "2013-07-10T00:00:00", "type": "nessus", "title": "IBM GSKit 7.x < 7.0.4.45 / 8.0.14.x < 8.0.14.27 TLS Side-Channel Timing Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:ibm:global_security_kit"], "id": "IBM_GSKIT_SWG21638270.NASL", "href": "https://www.tenable.com/plugins/nessus/67231", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67231);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\");\n script_bugtraq_id(57778);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"IBM GSKit 7.x < 7.0.4.45 / 8.0.14.x < 8.0.14.27 TLS Side-Channel Timing Information Disclosure\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a library installed that is affected by an\ninformation disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of IBM Global Security Kit (GSKit) installed on the\nremote host is 7.0.x prior to 7.0.4.45 or 8.0.14.x prior to 8.0.14.27.\nIt is, therefore, affected by an information disclosure vulnerability.\nThe Transport Layer Security (TLS) protocol does not properly\nconsider timing side-channel attacks, which allows remote attackers\nto conduct distinguishing attacks and plain-text recovery attacks via\nstatistical analysis of timing data for crafted packets. This type of\nexploitation is known as the 'Lucky Thirteen' attack.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg21638270\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to GSKit 7.0.4.45 / 8.0.14.27 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-0169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/10\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:global_security_kit\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ibm_gskit_installed.nasl\", \"ibm_gskit_installed_nix.nbin\");\n script_require_keys(\"installed_sw/IBM GSKit\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = \"IBM GSKit\";\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\nversion = install['version'];\npath = install['path'];\nfix = NULL;\n\nif (version =~ '^7\\\\.0\\\\.' && ver_compare(ver:version, fix:'7.0.4.45') < 0)\n fix = '7.0.4.45';\nelse if (version =~ '^8\\\\.0\\\\.14\\\\.' && ver_compare(ver:version, fix:'8.0.14.27') < 0)\n fix = '8.0.14.27';\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);\n\n# Default to Linux unless the RPM is not set\nport = 0;\nif (isnull(install['RPM']))\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n}\n\nif (report_verbosity > 0)\n{\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n\n security_note(port:port, extra:report);\n}\nelse security_note(port);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-24T14:37:47", "description": "According to its banner, the remote web server is running a version of OpenSSL 1.0.1 prior to 1.0.1e. The OpenSSL library is, therefore, reportedly affected by an incomplete fix for CVE-2013-0169.\n\nAn error exists related to the SSL/TLS/DTLS protocols, CBC mode encryption and response time. An attacker could obtain plaintext contents of encrypted traffic via timing attacks.", "cvss3": {}, "published": "2013-02-13T00:00:00", "type": "nessus", "title": "OpenSSL 1.0.1 < 1.0.1e Information Disclosure", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169"], "modified": "2023-08-21T00:00:00", "cpe": ["cpe:/a:openssl:openssl"], "id": "OPENSSL_1_0_1E.NASL", "href": "https://www.tenable.com/plugins/nessus/64620", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64620);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/08/21\");\n\n script_cve_id(\"CVE-2013-0169\");\n script_bugtraq_id(57778);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"OpenSSL 1.0.1 < 1.0.1e Information Disclosure\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service may be affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the remote web server is running a version of\nOpenSSL 1.0.1 prior to 1.0.1e. The OpenSSL library is, therefore,\nreportedly affected by an incomplete fix for CVE-2013-0169.\n\nAn error exists related to the SSL/TLS/DTLS protocols, CBC mode\nencryption and response time. An attacker could obtain plaintext\ncontents of encrypted traffic via timing attacks.\");\n # https://www.mail-archive.com/openssl-announce@openssl.org/msg00125.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9167fa5f\");\n # https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0c4b72e9c0e3a75e0b89166540396dc3b58138b8\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a7f8a0c1\");\n # https://git.openssl.org/gitweb/?p=openssl-web.git;a=commitdiff;h=3668d99f1db0410ccd43b5edb88651ccf6e9ac48\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ecf84273\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to OpenSSL 1.0.1e or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-0169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openssl:openssl\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2023 Tenable Network Security, Inc.\");\n\n script_dependencies(\"openssl_version.nasl\", \"openssl_nix_installed.nbin\", \"openssl_win_installed.nbin\");\n script_require_keys(\"installed_sw/OpenSSL\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_openssl.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'OpenSSL');\n\nvcf::check_all_backporting(app_info:app_info);\n\nvar constraints = [{ 'min_version' : \"1.0.1\", 'fixed_version' : '1.0.1e'}];\n\nvcf::openssl::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:34:27", "description": "Multiple security and bug fixes update from upstream.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2013-03-04T00:00:00", "type": "nessus", "title": "Fedora 18 : openssl-1.0.1e-3.fc18 (2013-2834)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:openssl", "cpe:/o:fedoraproject:fedora:18"], "id": "FEDORA_2013-2834.NASL", "href": "https://www.tenable.com/plugins/nessus/64982", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-2834.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64982);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0166\", \"CVE-2013-0169\");\n script_bugtraq_id(57755, 57778);\n script_xref(name:\"FEDORA\", value:\"2013-2834\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Fedora 18 : openssl-1.0.1e-3.fc18 (2013-2834)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Multiple security and bug fixes update from upstream.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=839735\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=907589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=908052\");\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-March/099470.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e08fe822\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"openssl-1.0.1e-3.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:37:02", "description": "Versions of OpenSSL prior to 0.9.8y are reportedly affected by the following vulnerabilities :\n\n - An error exists related to the handling of OCSP response verification that could allow denial of service attacks. (CVE-2013-0166)\n\n - An error exists related to the SSL/TLS/DTLS protocols, CBC mode encryption and response time. An attacker could obtain plaintext contents of encrypted traffic via timing attacks. (CVE-2013-0169)", "cvss3": {}, "published": "2013-06-11T00:00:00", "type": "nessus", "title": "OpenSSL < 0.9.8y / 1.0.1d / 1.0.0k Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2013-06-11T00:00:00", "cpe": [], "id": "801052.PRM", "href": "https://www.tenable.com/plugins/lce/801052", "sourceData": "Binary data 801052.prm", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:30:21", "description": "The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169.", "cvss3": {}, "published": "2014-10-10T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : GnuTLS vulnerability (SOL15637)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-2116"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:f5:big-ip:acceleration_manager", "cpe:/a:f5:big-ip:access_policy_manager", "cpe:/a:f5:big-ip:advanced_firewall_manager", "cpe:/a:f5:big-ip:application_security_manager", "cpe:/a:f5:big-ip:application_visibility_and_reporting", "cpe:/a:f5:big-ip:global_traffic_manager", "cpe:/a:f5:big-ip:link_controller", "cpe:/a:f5:big-ip:local_traffic_manager", "cpe:/a:f5:big-ip:policy_enforcement_manager", "cpe:/a:f5:big-ip:protocol_security_manager", "cpe:/a:f5:big-ip:wan_optimization_manager", "cpe:/a:f5:big-ip:web_accelerator_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL15637.NASL", "href": "https://www.tenable.com/plugins/nessus/78199", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL15637.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78199);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-2116\");\n script_bugtraq_id(57778, 60215);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"F5 Networks BIG-IP : GnuTLS vulnerability (SOL15637)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in\nGnuTLS 2.12.23 allows remote attackers to cause a denial of service\n(buffer over-read and crash) via a crafted padding length. NOTE: this\nmight be due to an incorrect fix for CVE-2013-0169.\");\n # http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15637.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?86d6ebf4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL15637.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:protocol_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip:web_accelerator_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL15637\";\nvmatrix = make_array();\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"11.3.0-11.4.1\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"11.5.0-11.6.0\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"11.5.0-11.6.0\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\",\"10.0.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"11.5.0-11.6.0\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"11.5.0-11.6.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\",\"10.0.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.5.0-11.6.0\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\",\"10.0.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"11.5.0-11.6.0\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"11.3.0-11.4.1\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"11.5.0-11.6.0\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\",\"10.0.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"11.5.0-11.6.0\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"11.4.0-11.4.1\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"11.5.0-11.6.0\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-04T14:49:42", "description": "Updated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nAn improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. (CVE-2013-0169)\n\nNote: If the web browser plug-in provided by the icedtea-web package was installed, CVE-2013-1486 could have been exploited without user interaction if a user visited a malicious website.\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.8.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "cvss3": {}, "published": "2013-02-21T00:00:00", "type": "nessus", "title": "CentOS 6 : java-1.6.0-openjdk (CESA-2013:0273)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:centos:centos:java-1.6.0-openjdk", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-src", "cpe:/o:centos:centos:6"], "id": "CENTOS_RHSA-2013-0273.NASL", "href": "https://www.tenable.com/plugins/nessus/64730", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0273 and \n# CentOS Errata and Security Advisory 2013:0273 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64730);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_xref(name:\"RHSA\", value:\"2013:0273\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"CentOS 6 : java-1.6.0-openjdk (CESA-2013:0273)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Updated java-1.6.0-openjdk packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nAn improper permission check issue was discovered in the JMX component\nin OpenJDK. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, CVE-2013-1486 could have been exploited without user\ninteraction if a user visited a malicious website.\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.8.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\");\n # https://lists.centos.org/pipermail/centos-announce/2013-February/019252.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34909601\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1.6.0-openjdk packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1486\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-04T15:19:54", "description": "java-1_6_0-openjdk was updated to IcedTea 1.12.3 (bnc#804654) containing security and bugfixes :\n\n - Security fixes\n\n - S8006446: Restrict MBeanServer access (CVE-2013-1486)\n\n - S8006777: Improve TLS handling of invalid messages Lucky 13 (CVE-2013-0169)\n\n - S8007688: Blacklist known bad certificate (issued by DigiCert)\n\n - Backports\n\n - S8007393: Possible race condition after JDK-6664509\n\n - S8007611: logging behavior in applet changed\n\n - Bug fixes\n\n - PR1319: Support GIF lib v5.", "cvss3": {}, "published": "2014-06-13T00:00:00", "type": "nessus", "title": "openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2013:0375-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:java-1_6_0-openjdk", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-debuginfo", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-debugsource", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-demo", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-demo-debuginfo", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-devel", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-devel-debuginfo", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-javadoc", "p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-src", "cpe:/o:novell:opensuse:12.1"], "id": "OPENSUSE-2013-164.NASL", "href": "https://www.tenable.com/plugins/nessus/74906", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2013-164.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74906);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2013:0375-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote openSUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"java-1_6_0-openjdk was updated to IcedTea 1.12.3 (bnc#804654)\ncontaining security and bugfixes :\n\n - Security fixes\n\n - S8006446: Restrict MBeanServer access (CVE-2013-1486)\n\n - S8006777: Improve TLS handling of invalid messages Lucky\n 13 (CVE-2013-0169)\n\n - S8007688: Blacklist known bad certificate (issued by\n DigiCert)\n\n - Backports\n\n - S8007393: Possible race condition after JDK-6664509\n\n - S8007611: logging behavior in applet changed\n\n - Bug fixes\n\n - PR1319: Support GIF lib v5.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.novell.com/show_bug.cgi?id=804654\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.opensuse.org/opensuse-updates/2013-03/msg00001.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1_6_0-openjdk packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-demo-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-devel-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"java-1_6_0-openjdk-1.6.0.0_b27.1.12.3-28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"java-1_6_0-openjdk-debuginfo-1.6.0.0_b27.1.12.3-28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"java-1_6_0-openjdk-debugsource-1.6.0.0_b27.1.12.3-28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"java-1_6_0-openjdk-demo-1.6.0.0_b27.1.12.3-28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"java-1_6_0-openjdk-demo-debuginfo-1.6.0.0_b27.1.12.3-28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.3-28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"java-1_6_0-openjdk-devel-debuginfo-1.6.0.0_b27.1.12.3-28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"java-1_6_0-openjdk-javadoc-1.6.0.0_b27.1.12.3-28.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"java-1_6_0-openjdk-src-1.6.0.0_b27.1.12.3-28.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1_6_0-openjdk\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:09:36", "description": "The remote Solaris system is missing necessary patches to address security updates :\n\n - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.\n (CVE-2013-0166)\n\n - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the 'Lucky Thirteen' issue. (CVE-2013-0169)", "cvss3": {}, "published": "2015-01-19T00:00:00", "type": "nessus", "title": "Oracle Solaris Third-Party Patch Update : openssl (lucky_thirteen_vulnerability_in_solaris)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.1", "p-cpe:/a:oracle:solaris:openssl"], "id": "SOLARIS11_OPENSSL_20130716.NASL", "href": "https://www.tenable.com/plugins/nessus/80719", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80719);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0166\", \"CVE-2013-0169\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : openssl (lucky_thirteen_vulnerability_in_solaris)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1\n before 1.0.1d does not properly perform signature\n verification for OCSP responses, which allows remote\n OCSP servers to cause a denial of service (NULL pointer\n dereference and application crash) via an invalid key.\n (CVE-2013-0166)\n\n - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0\n and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and\n other products, do not properly consider timing\n side-channel attacks on a MAC check requirement during\n the processing of malformed CBC padding, which allows\n remote attackers to conduct distinguishing attacks and\n plaintext-recovery attacks via statistical analysis of\n timing data for crafted packets, aka the 'Lucky\n Thirteen' issue. (CVE-2013-0169)\");\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4a913f44\");\n # https://blogs.oracle.com/sunsecurity/lucky-thirteen-vulnerability-in-solaris-openssl\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2d8ba7ad\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Solaris 11.1.7.5.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:openssl\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Solaris Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^openssl$\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.1.7.0.5.0\", sru:\"SRU 11.1.7.5.0\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : openssl\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_warning(port:0, extra:error_extra);\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"openssl\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:42", "description": "Multiple vulnerabilities has been found and corrected in openssl :\n\nOpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key (CVE-2013-0166).\n\nThe TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the Lucky Thirteen issue (CVE-2013-0169).\n\nThe updated packages have been upgraded to the 1.0.0k version which is not vulnerable to these issues.", "cvss3": {}, "published": "2013-04-20T00:00:00", "type": "nessus", "title": "Mandriva Linux Security Advisory : openssl (MDVSA-2013:052)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:lib64openssl-devel", "p-cpe:/a:mandriva:linux:lib64openssl-engines1.0.0", "p-cpe:/a:mandriva:linux:lib64openssl-static-devel", "p-cpe:/a:mandriva:linux:lib64openssl1.0.0", "p-cpe:/a:mandriva:linux:openssl", "cpe:/o:mandriva:business_server:1"], "id": "MANDRIVA_MDVSA-2013-052.NASL", "href": "https://www.tenable.com/plugins/nessus/66066", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2013:052. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66066);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0166\", \"CVE-2013-0169\");\n script_bugtraq_id(57778, 60268);\n script_xref(name:\"MDVSA\", value:\"2013:052\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Mandriva Linux Security Advisory : openssl (MDVSA-2013:052)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Multiple vulnerabilities has been found and corrected in openssl :\n\nOpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d\ndoes not properly perform signature verification for OCSP responses,\nwhich allows remote attackers to cause a denial of service (NULL\npointer dereference and application crash) via an invalid key\n(CVE-2013-0166).\n\nThe TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as\nused in OpenSSL, OpenJDK, PolarSSL, and other products, do not\nproperly consider timing side-channel attacks on a MAC check\nrequirement during the processing of malformed CBC padding, which\nallows remote attackers to conduct distinguishing attacks and\nplaintext-recovery attacks via statistical analysis of timing data for\ncrafted packets, aka the Lucky Thirteen issue (CVE-2013-0169).\n\nThe updated packages have been upgraded to the 1.0.0k version which is\nnot vulnerable to these issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20130204.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64openssl-engines1.0.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64openssl-static-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64openssl1.0.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64openssl-devel-1.0.0k-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64openssl-engines1.0.0-1.0.0k-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64openssl-static-devel-1.0.0k-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64openssl1.0.0-1.0.0k-1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"openssl-1.0.0k-1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-22T15:36:48", "description": "According to its banner, the remote web server is running a version of OpenSSL prior to 0.9.8y. The OpenSSL library is, therefore, reportedly affected by the following vulnerabilities :\n\n - An error exists related to the handling of OCSP response verification that could allow denial of service attacks.\n (CVE-2013-0166)\n\n - An error exists related to the SSL/TLS/DTLS protocols, CBC mode encryption and response time. An attacker could obtain plaintext contents of encrypted traffic via timing attacks. (CVE-2013-0169)", "cvss3": {}, "published": "2013-02-09T00:00:00", "type": "nessus", "title": "OpenSSL < 0.9.8y Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2023-08-22T00:00:00", "cpe": ["cpe:/a:openssl:openssl"], "id": "OPENSSL_0_9_8Y.NASL", "href": "https://www.tenable.com/plugins/nessus/64532", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64532);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/08/22\");\n\n script_cve_id(\"CVE-2013-0166\", \"CVE-2013-0169\");\n script_bugtraq_id(57778, 60268);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"OpenSSL < 0.9.8y Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host may be affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the remote web server is running a version\nof OpenSSL prior to 0.9.8y. The OpenSSL library is, therefore,\nreportedly affected by the following vulnerabilities :\n\n - An error exists related to the handling of OCSP response\n verification that could allow denial of service attacks.\n (CVE-2013-0166)\n\n - An error exists related to the SSL/TLS/DTLS protocols,\n CBC mode encryption and response time. An attacker\n could obtain plaintext contents of encrypted traffic via\n timing attacks. (CVE-2013-0169)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20130204.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to OpenSSL 0.9.8y or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-0169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openssl:openssl\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"openssl_version.nasl\", \"openssl_nix_installed.nbin\", \"openssl_win_installed.nbin\");\n script_require_keys(\"installed_sw/OpenSSL\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_openssl.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'OpenSSL');\n\nvcf::check_all_backporting(app_info:app_info);\n\nvar constraints = [{ 'min_version' : '0.0.0', 'fixed_version' : '0.9.8y'}];\n\nvcf::openssl::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:11:22", "description": "The remote Solaris system is missing necessary patches to address security updates :\n\n - The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.\n (CVE-2013-1620)", "cvss3": {}, "published": "2015-01-19T00:00:00", "type": "nessus", "title": "Oracle Solaris Third-Party Patch Update : nss (cve_2013_1620_lucky_thirteen)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1620"], "modified": "2021-01-14T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.1", "p-cpe:/a:oracle:solaris:nss"], "id": "SOLARIS11_NSS_20140809.NASL", "href": "https://www.tenable.com/plugins/nessus/80713", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(80713);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1620\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : nss (cve_2013_1620_lucky_thirteen)\");\n script_summary(english:\"Check for the 'entire' version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - The TLS implementation in Mozilla Network Security\n Services (NSS) does not properly consider timing\n side-channel attacks on a noncompliant MAC check\n operation during the processing of malformed CBC\n padding, which allows remote attackers to conduct\n distinguishing attacks and plaintext-recovery attacks\n via statistical analysis of timing data for crafted\n packets, a related issue to CVE-2013-0169.\n (CVE-2013-1620)\"\n );\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a913f44\"\n );\n # https://blogs.oracle.com/sunsecurity/cve-2013-1620-lucky-thirteen-vulnerability-in-nss\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a0b29b49\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Solaris 11.1.20.5.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:nss\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^nss$\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nss\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.1.20.0.5.0\", sru:\"SRU 11.1.20.5.0\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : nss\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_warning(port:0, extra:error_extra);\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"nss\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-04T14:47:42", "description": "Updated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nAn improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. (CVE-2013-0169)\n\nNote: If the web browser plug-in provided by the icedtea-web package was installed, CVE-2013-1486 could have been exploited without user interaction if a user visited a malicious website.\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.8.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "cvss3": {}, "published": "2013-02-21T00:00:00", "type": "nessus", "title": "RHEL 6 : java-1.6.0-openjdk (RHSA-2013:0273)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-debuginfo", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-src", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:6.3"], "id": "REDHAT-RHSA-2013-0273.NASL", "href": "https://www.tenable.com/plugins/nessus/64746", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0273. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64746);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_xref(name:\"RHSA\", value:\"2013:0273\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"RHEL 6 : java-1.6.0-openjdk (RHSA-2013:0273)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Updated java-1.6.0-openjdk packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nAn improper permission check issue was discovered in the JMX component\nin OpenJDK. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, CVE-2013-1486 could have been exploited without user\ninteraction if a user visited a malicious website.\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.8.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\");\n # http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/icedtea6-1.11.8/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?501e0ece\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2013:0273\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2013-0169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2013-1486\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.3\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0273\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:20:53", "description": "Multiple security and bug fixes update from upstream.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2013-03-08T00:00:00", "type": "nessus", "title": "Fedora 17 : openssl-1.0.0k-1.fc17 (2013-2793)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:openssl", "cpe:/o:fedoraproject:fedora:17"], "id": "FEDORA_2013-2793.NASL", "href": "https://www.tenable.com/plugins/nessus/65081", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-2793.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65081);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0166\", \"CVE-2013-0169\");\n script_bugtraq_id(57755, 57778);\n script_xref(name:\"FEDORA\", value:\"2013-2793\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Fedora 17 : openssl-1.0.0k-1.fc17 (2013-2793)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Multiple security and bug fixes update from upstream.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=839735\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=907589\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=908052\");\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-March/099759.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?883de014\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected openssl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"openssl-1.0.0k-1.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:19:25", "description": "The version of OpenSSL running on the remote host is affected by the following vulnerabilities :\n\n - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side- channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the 'Lucky Thirteen' issue. (CVE-2013-0169)\n\n - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.\n (CVE-2013-0166)", "cvss3": {}, "published": "2014-04-16T00:00:00", "type": "nessus", "title": "AIX OpenSSL Advisory : openssl_advisory5.asc", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2023-04-21T00:00:00", "cpe": ["cpe:/o:ibm:aix"], "id": "AIX_OPENSSL_ADVISORY5.NASL", "href": "https://www.tenable.com/plugins/nessus/73563", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory openssl_advisory5.asc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(73563);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/21\");\n\n script_cve_id(\"CVE-2013-0166\", \"CVE-2013-0169\");\n script_bugtraq_id(57778, 60268);\n script_xref(name:\"CERT\", value:\"737740\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"AIX OpenSSL Advisory : openssl_advisory5.asc\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AIX host is running a vulnerable version of OpenSSL.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of OpenSSL running on the remote host is affected by the\nfollowing vulnerabilities :\n\n - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0\n and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and\n other products, do not properly consider timing side-\n channel attacks on a MAC check requirement during the\n processing of malformed CBC padding, which allows\n remote attackers to conduct distinguishing attacks and\n plaintext-recovery attacks via statistical analysis of\n timing data for crafted packets, aka the 'Lucky\n Thirteen' issue. (CVE-2013-0169)\n\n - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1\n before 1.0.1d does not properly perform signature\n verification for OCSP responses, which allows remote\n attackers to cause a denial of service (NULL pointer\n dereference and application crash) via an invalid key.\n (CVE-2013-0166)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://aix.software.ibm.com/aix/efixes/security/openssl_advisory5.asc\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp\");\n script_set_attribute(attribute:\"solution\", value:\n\"A fix is available, and it can be downloaded from the AIX website.\n\nTo extract the fixes from the tar file :\n\n zcat openssl-0.9.8.2500.tar.Z | tar xvf -\n or\n zcat openssl-fips-12.9.8.2500.tar.Z | tar xvf -\n\nIMPORTANT : If possible, it is recommended that a mksysb backup of\nthe system be created. Verify it is both bootable and readable\nbefore proceeding.\n\nTo preview the fix installation :\n\n installp -apYd . openssl\n\nTo install the fix package :\n\n installp -aXYd . openssl\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/04/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item_or_exit(\"Host/AIX/version\");\nif ( oslevel != \"AIX-5.3\" && oslevel != \"AIX-6.1\" && oslevel != \"AIX-7.1\" )\n{\n oslevel = ereg_replace(string:oslevel, pattern:\"-\", replace:\" \");\n audit(AUDIT_OS_NOT, \"AIX 5.3 / 6.1 / 7.1\", oslevel);\n}\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nflag = 0;\n\nif (aix_check_package(release:\"5.3\", package:\"openssl.base\", minpackagever:\"0.0.0.0\", maxpackagever:\"0.9.8.2400\", fixpackagever:\"0.9.8.2500\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"openssl.base\", minpackagever:\"0.0.0.0\", maxpackagever:\"0.9.8.2400\", fixpackagever:\"0.9.8.2500\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"openssl.base\", minpackagever:\"0.0.0.0\", maxpackagever:\"0.9.8.2400\", fixpackagever:\"0.9.8.2500\") > 0) flag++;\nif (aix_check_package(release:\"5.3\", package:\"openssl-fips.base\", minpackagever:\"0.0.0.0\", maxpackagever:\"12.9.8.2400\", fixpackagever:\"12.9.8.2500\") > 0) flag++;\nif (aix_check_package(release:\"6.1\", package:\"openssl-fips.base\", minpackagever:\"0.0.0.0\", maxpackagever:\"12.9.8.2400\", fixpackagever:\"12.9.8.2500\") > 0) flag++;\nif (aix_check_package(release:\"7.1\", package:\"openssl-fips.base\", minpackagever:\"0.0.0.0\", maxpackagever:\"12.9.8.2400\", fixpackagever:\"12.9.8.2500\") > 0) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : aix_report_get()\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl.base / openssl-fips.base\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:53", "description": "A flaw in the OpenSSL handling of OCSP response verification could be exploited to cause a denial of service attack.\n\nOpenSSL has a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. The weakness could reveal plaintext in a timing attack.", "cvss3": {}, "published": "2013-04-08T00:00:00", "type": "nessus", "title": "FreeBSD : FreeBSD -- OpenSSL multiple vulnerabilities (69bfc852-9bd0-11e2-a7be-8c705af55518)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:freebsd", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_69BFC8529BD011E2A7BE8C705AF55518.NASL", "href": "https://www.tenable.com/plugins/nessus/65842", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65842);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0166\", \"CVE-2013-0169\");\n script_xref(name:\"FreeBSD\", value:\"SA-13:03.openssl\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"FreeBSD : FreeBSD -- OpenSSL multiple vulnerabilities (69bfc852-9bd0-11e2-a7be-8c705af55518)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"A flaw in the OpenSSL handling of OCSP response verification could be\nexploited to cause a denial of service attack.\n\nOpenSSL has a weakness in the handling of CBC ciphersuites in SSL, TLS\nand DTLS. The weakness could reveal plaintext in a timing attack.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20130205.txt\");\n # https://vuxml.freebsd.org/freebsd/69bfc852-9bd0-11e2-a7be-8c705af55518.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6aa5fbcb\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/04/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:FreeBSD\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=8.3<8.3_7\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=9.0<9.0_7\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"FreeBSD>=9.1<9.1_2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-06T15:23:05", "description": "From Red Hat Security Advisory 2013:0273 :\n\nUpdated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nAn improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. (CVE-2013-0169)\n\nNote: If the web browser plug-in provided by the icedtea-web package was installed, CVE-2013-1486 could have been exploited without user interaction if a user visited a malicious website.\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.8.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "cvss3": {}, "published": "2013-07-12T00:00:00", "type": "nessus", "title": "Oracle Linux 6 : java-1.6.0-openjdk (ELSA-2013-0273)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:java-1.6.0-openjdk", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-demo", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-devel", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-src", "cpe:/o:oracle:linux:6"], "id": "ORACLELINUX_ELSA-2013-0273.NASL", "href": "https://www.tenable.com/plugins/nessus/68734", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:0273 and \n# Oracle Linux Security Advisory ELSA-2013-0273 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68734);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_bugtraq_id(57778, 58029);\n script_xref(name:\"RHSA\", value:\"2013:0273\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Oracle Linux 6 : java-1.6.0-openjdk (ELSA-2013-0273)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"From Red Hat Security Advisory 2013:0273 :\n\nUpdated java-1.6.0-openjdk packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nAn improper permission check issue was discovered in the JMX component\nin OpenJDK. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\n\nNote: If the web browser plug-in provided by the icedtea-web package\nwas installed, CVE-2013-1486 could have been exploited without user\ninteraction if a user visited a malicious website.\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.8.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2013-February/003265.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1.6.0-openjdk packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-1.56.1.11.8.el6_3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:38:03", "description": "According to its self-reported version number, the remote Junos device is using an outdated version of OpenSSL, which has multiple vulnerabilities including (but not limited to) :\n\n - An error exists related to the handling of OCSP response verification that could allow denial of service attacks.\n (CVE-2013-0166)\n\n - An error exists related to the SSL/TLS/DTLS protocols, CBC mode encryption and response time. An attacker could obtain plaintext contents of encrypted traffic via timing attacks. (CVE-2013-0169)", "cvss3": {}, "published": "2013-07-16T00:00:00", "type": "nessus", "title": "Juniper Junos OpenSSL Multiple Vulnerabilities (JSA10575)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:juniper:junos"], "id": "JUNIPER_JSA10575.NASL", "href": "https://www.tenable.com/plugins/nessus/68908", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68908);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0166\", \"CVE-2013-0169\");\n script_bugtraq_id(57778, 60268);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Juniper Junos OpenSSL Multiple Vulnerabilities (JSA10575)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the remote Junos device\nis using an outdated version of OpenSSL, which has multiple\nvulnerabilities including (but not limited to) :\n\n - An error exists related to the handling of OCSP response\n verification that could allow denial of service attacks.\n (CVE-2013-0166)\n\n - An error exists related to the SSL/TLS/DTLS protocols,\n CBC mode encryption and response time. An attacker\n could obtain plaintext contents of encrypted traffic via\n timing attacks. (CVE-2013-0169)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10575\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant Junos upgrade referenced in Juniper advisory\nJSA10575.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/07/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:juniper:junos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Junos Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"junos_version.nasl\");\n script_require_keys(\"Host/Juniper/JUNOS/Version\", \"Host/Juniper/JUNOS/BuildDate\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"junos.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');\nbuild_date = get_kb_item_or_exit('Host/Juniper/JUNOS/BuildDate');\n\nif (compare_build_dates(build_date, '2013-06-13') >= 0)\n audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver + ' (build date ' + build_date + ')');\n\nfixes['11.4'] = '11.4R8';\nfixes['12.1'] = '12.1R6';\nfixes['12.2'] = '12.2R4';\nfixes['12.3'] = '12.3R3';\nfixes['13.1'] = '13.1R2';\nfix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);\n\nif (report_verbosity > 0)\n{\n report = get_report(ver:ver, fix:fix);\n security_warning(port:0, extra:report);\n}\nelse security_warning(0);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:37:05", "description": "Versions of OpenSSL prior to 0.9.8y are reportedly affected by the following vulnerabilities :\n\n - An error exists related to the handling of OCSP response verification that could allow denial of service attacks. (CVE-2013-0166)\n\n - An error exists related to the SSL/TLS/DTLS protocols, CBC mode encryption and response time. An attacker could obtain plaintext contents of encrypted traffic via timing attacks. (CVE-2013-0169)", "cvss3": {}, "published": "2013-06-11T00:00:00", "type": "nessus", "title": "OpenSSL < 0.9.8y / 1.0.1d / 1.0.0k Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:/a:openssl:openssl"], "id": "6868.PRM", "href": "https://www.tenable.com/plugins/nnm/6868", "sourceData": "Binary data 6868.prm", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-24T14:34:13", "description": "According to its banner, the remote web server is running a version of OpenSSL 1.0.0 prior to 1.0.0k. The OpenSSL library is, therefore, reportedly affected by the following vulnerabilities :\n\n - An error exists related to the handling of OCSP response verification that could allow denial of service attacks.\n (CVE-2013-0166)\n\n - An error exists related to the SSL/TLS/DTLS protocols, CBC mode encryption and response time. An attacker could obtain plaintext contents of encrypted traffic via timing attacks. (CVE-2013-0169)", "cvss3": {}, "published": "2013-02-09T00:00:00", "type": "nessus", "title": "OpenSSL 1.0.0 < 1.0.0k Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2023-08-21T00:00:00", "cpe": ["cpe:/a:openssl:openssl"], "id": "OPENSSL_1_0_0K.NASL", "href": "https://www.tenable.com/plugins/nessus/64533", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64533);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/08/21\");\n\n script_cve_id(\"CVE-2013-0166\", \"CVE-2013-0169\");\n script_bugtraq_id(57778, 60268);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"OpenSSL 1.0.0 < 1.0.0k Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host may be affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its banner, the remote web server is running a version\nof OpenSSL 1.0.0 prior to 1.0.0k. The OpenSSL library is, therefore,\nreportedly affected by the following vulnerabilities :\n\n - An error exists related to the handling of OCSP response\n verification that could allow denial of service attacks.\n (CVE-2013-0166)\n\n - An error exists related to the SSL/TLS/DTLS protocols,\n CBC mode encryption and response time. An attacker\n could obtain plaintext contents of encrypted traffic via\n timing attacks. (CVE-2013-0169)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/news/secadv/20130204.txt\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to OpenSSL 1.0.0k or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-0169\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:openssl:openssl\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"openssl_version.nasl\", \"openssl_nix_installed.nbin\", \"openssl_win_installed.nbin\");\n script_require_keys(\"installed_sw/OpenSSL\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras_openssl.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'OpenSSL');\n\nvcf::check_all_backporting(app_info:app_info);\n\nvar constraints = [{ 'min_version' : \"1.0.0\", 'fixed_version' : '1.0.0k'}];\n\nvcf::openssl::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:34:53", "description": "USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0169 and CVE-2012-2686 was reverted in USN-1732-2 because of a regression.\nThis update restores the security fix, and includes an extra fix from upstream to address the AES-NI regression. We apologize for the inconvenience.\n\nAdam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly handled certain crafted CBC data when used with AES-NI. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10. (CVE-2012-2686)\n\nNadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used in OpenSSL was vulnerable to a timing side-channel attack known as the 'Lucky Thirteen' issue. A remote attacker could use this issue to perform plaintext-recovery attacks via analysis of timing data.\n(CVE-2013-0169).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2013-03-26T00:00:00", "type": "nessus", "title": "Ubuntu 12.04 LTS / 12.10 : openssl vulnerability (USN-1732-3)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2686", "CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libssl1.0.0", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:12.10"], "id": "UBUNTU_USN-1732-3.NASL", "href": "https://www.tenable.com/plugins/nessus/65684", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1732-3. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65684);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2012-2686\", \"CVE-2013-0169\");\n script_bugtraq_id(57778);\n script_xref(name:\"USN\", value:\"1732-3\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 12.10 : openssl vulnerability (USN-1732-3)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security-related patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0169\nand CVE-2012-2686 was reverted in USN-1732-2 because of a regression.\nThis update restores the security fix, and includes an extra fix from\nupstream to address the AES-NI regression. We apologize for the\ninconvenience.\n\nAdam Langley and Wolfgang Ettlingers discovered that OpenSSL\nincorrectly handled certain crafted CBC data when used with AES-NI. A\nremote attacker could use this issue to cause OpenSSL to crash,\nresulting in a denial of service. This issue only affected Ubuntu\n12.04 LTS and Ubuntu 12.10. (CVE-2012-2686)\n\nNadhem Alfardan and Kenny Paterson discovered that the TLS\nprotocol as used in OpenSSL was vulnerable to a timing\nside-channel attack known as the 'Lucky Thirteen' issue. A\nremote attacker could use this issue to perform\nplaintext-recovery attacks via analysis of timing data.\n(CVE-2013-0169).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://usn.ubuntu.com/1732-3/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected libssl1.0.0 package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libssl1.0.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2022 Canonical, Inc. / NASL script (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04|12\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 12.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"libssl1.0.0\", pkgver:\"1.0.1-4ubuntu5.8\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"libssl1.0.0\", pkgver:\"1.0.1c-3ubuntu2.3\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libssl1.0.0\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-04T15:11:23", "description": "An improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. (CVE-2013-0169)", "cvss3": {}, "published": "2013-09-04T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2013-163)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:java-1.6.0-openjdk", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-debuginfo", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-demo", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-devel", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-javadoc", "p-cpe:/a:amazon:linux:java-1.6.0-openjdk-src", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2013-163.NASL", "href": "https://www.tenable.com/plugins/nessus/69722", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2013-163.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(69722);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_xref(name:\"ALAS\", value:\"2013-163\");\n script_xref(name:\"RHSA\", value:\"2013:0273\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2013-163)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An improper permission check issue was discovered in the JMX component\nin OpenJDK. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2013-163.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update java-1.6.0-openjdk' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-1.6.0.0-56.1.11.8.51.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.0-56.1.11.8.51.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-56.1.11.8.51.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-56.1.11.8.51.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-56.1.11.8.51.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-56.1.11.8.51.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-debuginfo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:49", "description": "Update to 1.0.1e\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2013-04-03T00:00:00", "type": "nessus", "title": "Fedora 18 : mingw-openssl-1.0.1e-1.fc18 (2013-4403)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-4929", "CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:mingw-openssl", "cpe:/o:fedoraproject:fedora:18"], "id": "FEDORA_2013-4403.NASL", "href": "https://www.tenable.com/plugins/nessus/65776", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-4403.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65776);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2012-4929\", \"CVE-2013-0169\");\n script_xref(name:\"FEDORA\", value:\"2013-4403\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Fedora 18 : mingw-openssl-1.0.1e-1.fc18 (2013-4403)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Fedora host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Update to 1.0.1e\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=920868\");\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1a03210e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected mingw-openssl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mingw-openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Fedora Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"mingw-openssl-1.0.1e-1.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mingw-openssl\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:33:58", "description": "Multiple vulnerabilities have been found in OpenSSL. The Common Vulnerabilities and Exposures project identifies the following issues :\n\n - CVE-2013-0166 OpenSSL does not properly perform signature verification for OCSP responses, which allows remote attackers to cause a denial of service via an invalid key.\n\n - CVE-2013-0169 A timing side channel attack has been found in CBC padding allowing an attacker to recover pieces of plaintext via statistical analysis of crafted packages, known as the 'Lucky Thirteen' issue.", "cvss3": {}, "published": "2013-02-14T00:00:00", "type": "nessus", "title": "Debian DSA-2621-1 : openssl - several vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:openssl", "cpe:/o:debian:debian_linux:6.0"], "id": "DEBIAN_DSA-2621.NASL", "href": "https://www.tenable.com/plugins/nessus/64623", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2621. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64623);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0166\", \"CVE-2013-0169\");\n script_bugtraq_id(57755, 57778);\n script_xref(name:\"DSA\", value:\"2621\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Debian DSA-2621-1 : openssl - several vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Multiple vulnerabilities have been found in OpenSSL. The Common\nVulnerabilities and Exposures project identifies the following issues\n:\n\n - CVE-2013-0166\n OpenSSL does not properly perform signature verification\n for OCSP responses, which allows remote attackers to\n cause a denial of service via an invalid key.\n\n - CVE-2013-0169\n A timing side channel attack has been found in CBC\n padding allowing an attacker to recover pieces of\n plaintext via statistical analysis of crafted packages,\n known as the 'Lucky Thirteen' issue.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699889\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2013-0166\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2013-0169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/squeeze/openssl\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2013/dsa-2621\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the openssl packages.\n\nFor the stable distribution (squeeze), these problems have been fixed\nin version 0.9.8o-4squeeze14.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"libcrypto0.9.8-udeb\", reference:\"0.9.8o-4squeeze14\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libssl-dev\", reference:\"0.9.8o-4squeeze14\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libssl0.9.8\", reference:\"0.9.8o-4squeeze14\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libssl0.9.8-dbg\", reference:\"0.9.8o-4squeeze14\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"openssl\", reference:\"0.9.8o-4squeeze14\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-04T14:50:01", "description": "java-1_6_0-openjdk has been updated to IcedTea 1.12.3 (bnc#804654) which contains security and bugfixes :\n\n - Security fixes\n\n - S8006446: Restrict MBeanServer access. (CVE-2013-1486)\n\n - S8006777: Improve TLS handling of invalid messages Lucky 13. (CVE-2013-0169)\n\n - S8007688: Blacklist known bad certificate (issued by DigiCert)\n\n - Backports\n\n - S8007393: Possible race condition after JDK-6664509\n\n - S8007611: logging behavior in applet changed\n\n - Bug fixes\n\n - PR1319: Support GIF lib v5.", "cvss3": {}, "published": "2013-02-24T00:00:00", "type": "nessus", "title": "SuSE 11.2 Security Update : Java (SAT Patch Number 7385)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:java-1_6_0-openjdk", "p-cpe:/a:novell:suse_linux:11:java-1_6_0-openjdk-demo", "p-cpe:/a:novell:suse_linux:11:java-1_6_0-openjdk-devel", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_11_JAVA-1_6_0-OPENJDK-130221.NASL", "href": "https://www.tenable.com/plugins/nessus/64863", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64863);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"SuSE 11.2 Security Update : Java (SAT Patch Number 7385)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SuSE 11 host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"java-1_6_0-openjdk has been updated to IcedTea 1.12.3 (bnc#804654)\nwhich contains security and bugfixes :\n\n - Security fixes\n\n - S8006446: Restrict MBeanServer access. (CVE-2013-1486)\n\n - S8006777: Improve TLS handling of invalid messages Lucky\n 13. (CVE-2013-0169)\n\n - S8007688: Blacklist known bad certificate (issued by\n DigiCert)\n\n - Backports\n\n - S8007393: Possible race condition after JDK-6664509\n\n - S8007611: logging behavior in applet changed\n\n - Bug fixes\n\n - PR1319: Support GIF lib v5.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.novell.com/show_bug.cgi?id=804654\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.novell.com/security/cve/CVE-2013-0169.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.novell.com/security/cve/CVE-2013-1486.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply SAT patch number 7385.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:java-1_6_0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:java-1_6_0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:java-1_6_0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, \"SuSE 11.2\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"java-1_6_0-openjdk-1.6.0.0_b27.1.12.3-0.2.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"java-1_6_0-openjdk-demo-1.6.0.0_b27.1.12.3-0.2.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.3-0.2.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"java-1_6_0-openjdk-1.6.0.0_b27.1.12.3-0.2.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"java-1_6_0-openjdk-demo-1.6.0.0_b27.1.12.3-0.2.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"java-1_6_0-openjdk-devel-1.6.0.0_b27.1.12.3-0.2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-05T14:52:08", "description": "From Red Hat Security Advisory 2013:0274 :\n\nUpdated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nAn improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. (CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.8.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "cvss3": {}, "published": "2013-07-12T00:00:00", "type": "nessus", "title": "Oracle Linux 5 : java-1.6.0-openjdk (ELSA-2013-0274)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:java-1.6.0-openjdk", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-demo", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-devel", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-javadoc", "p-cpe:/a:oracle:linux:java-1.6.0-openjdk-src", "cpe:/o:oracle:linux:5"], "id": "ORACLELINUX_ELSA-2013-0274.NASL", "href": "https://www.tenable.com/plugins/nessus/68735", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:0274 and \n# Oracle Linux Security Advisory ELSA-2013-0274 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68735);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_bugtraq_id(57778, 58029);\n script_xref(name:\"RHSA\", value:\"2013:0274\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Oracle Linux 5 : java-1.6.0-openjdk (ELSA-2013-0274)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"From Red Hat Security Advisory 2013:0274 :\n\nUpdated java-1.6.0-openjdk packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nAn improper permission check issue was discovered in the JMX component\nin OpenJDK. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.8.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2013-February/003271.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1.6.0-openjdk packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-1.6.0.0-1.35.1.11.8.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-1.35.1.11.8.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-1.35.1.11.8.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-1.35.1.11.8.0.1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-1.35.1.11.8.0.1.el5_9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:17:09", "description": "The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. (CVE-2013-1620)", "cvss3": {}, "published": "2014-10-10T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : TLS in Mozilla NSS vulnerability (K15630)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1620"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/h:f5:big-ip", "cpe:/h:f5:big-ip_protocol_security_manager"], "id": "F5_BIGIP_SOL15630.NASL", "href": "https://www.tenable.com/plugins/nessus/78198", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K15630.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78198);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1620\");\n script_bugtraq_id(57777, 57778);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"F5 Networks BIG-IP : TLS in Mozilla NSS vulnerability (K15630)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The TLS implementation in Mozilla Network Security Services (NSS) does\nnot properly consider timing side-channel attacks on a noncompliant\nMAC check operation during the processing of malformed CBC padding,\nwhich allows remote attackers to conduct distinguishing attacks and\nplaintext-recovery attacks via statistical analysis of timing data for\ncrafted packets, a related issue to CVE-2013-0169. (CVE-2013-1620)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K15630\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K15630.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K15630\";\nvmatrix = make_array();\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"11.3.0-11.5.3\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"11.4.0-11.5.3\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.5.3\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.5.3\",\"10.0.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.5.3\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.5.3\",\"10.0.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.0\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.5.3\",\"10.0.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.5.3\",\"10.0.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"11.3.0-11.5.3\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.0\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-04T14:50:56", "description": "Updated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nAn improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. (CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.8.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "cvss3": {}, "published": "2013-02-27T00:00:00", "type": "nessus", "title": "CentOS 5 : java-1.6.0-openjdk (CESA-2013:0274)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:centos:centos:java-1.6.0-openjdk", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-demo", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-devel", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-javadoc", "p-cpe:/a:centos:centos:java-1.6.0-openjdk-src", "cpe:/o:centos:centos:5"], "id": "CENTOS_RHSA-2013-0274.NASL", "href": "https://www.tenable.com/plugins/nessus/64896", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0274 and \n# CentOS Errata and Security Advisory 2013:0274 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64896);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_xref(name:\"RHSA\", value:\"2013:0274\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"CentOS 5 : java-1.6.0-openjdk (CESA-2013:0274)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Updated java-1.6.0-openjdk packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nAn improper permission check issue was discovered in the JMX component\nin OpenJDK. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.8.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\");\n # https://lists.centos.org/pipermail/centos-announce/2013-February/019255.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2590176d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected java-1.6.0-openjdk packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1486\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-demo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-04T14:51:15", "description": "Updated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit.\n\nAn improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. (CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.8.\nRefer to the NEWS file, linked to in the References, for further information.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.", "cvss3": {}, "published": "2013-02-21T00:00:00", "type": "nessus", "title": "RHEL 5 : java-1.6.0-openjdk (RHSA-2013:0274)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-debuginfo", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-demo", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-devel", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-javadoc", "p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-src", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:5.9"], "id": "REDHAT-RHSA-2013-0274.NASL", "href": "https://www.tenable.com/plugins/nessus/64747", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0274. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64747);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_xref(name:\"RHSA\", value:\"2013:0274\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"RHEL 5 : java-1.6.0-openjdk (RHSA-2013:0274)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"Updated java-1.6.0-openjdk packages that fix two security issues are\nnow available for Red Hat Enterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nThese packages provide the OpenJDK 6 Java Runtime Environment and the\nOpenJDK 6 Software Development Kit.\n\nAn improper permission check issue was discovered in the JMX component\nin OpenJDK. An untrusted Java application or applet could use this\nflaw to bypass Java sandbox restrictions. (CVE-2013-1486)\n\nIt was discovered that OpenJDK leaked timing information when\ndecrypting TLS/SSL protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL\nserver as a padding oracle. (CVE-2013-0169)\n\nThis erratum also upgrades the OpenJDK package to IcedTea6 1.11.8.\nRefer to the NEWS file, linked to in the References, for further\ninformation.\n\nAll users of java-1.6.0-openjdk are advised to upgrade to these\nupdated packages, which resolve these issues. All running instances of\nOpenJDK Java must be restarted for the update to take effect.\");\n # http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/icedtea6-1.11.8/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?501e0ece\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2013:0274\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2013-0169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2013-1486\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-demo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-src\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0274\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-debuginfo-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-demo-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-devel-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-javadoc-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"java-1.6.0-openjdk-src-1.6.0.0-1.35.1.11.8.el5_9\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"java-1.6.0-openjdk / java-1.6.0-openjdk-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:35:00", "description": "The version of stunnel installed on the remote host is a version after 4.21 and prior to 4.55. It is, therefore, affected by the following vulnerabilities :\n\n - The bundled version of OpenSSL contains an error related to CBC-mode and timing that allows an attacker to recover plaintext from encrypted communications.\n (CVE-2013-0169)\n\n - A buffer overflow condition exists related to NTLM authentication. Note this issue does not affect 32-bit builds.(CVE-2013-1762)", "cvss3": {}, "published": "2013-03-26T00:00:00", "type": "nessus", "title": "stunnel 4.21 - 4.54 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1762"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:stunnel:stunnel"], "id": "STUNNEL_4_55.NASL", "href": "https://www.tenable.com/plugins/nessus/65690", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65690);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1762\");\n script_bugtraq_id(57778, 58277);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"stunnel 4.21 - 4.54 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a program that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of stunnel installed on the remote host is a version\nafter 4.21 and prior to 4.55. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - The bundled version of OpenSSL contains an error related\n to CBC-mode and timing that allows an attacker to\n recover plaintext from encrypted communications.\n (CVE-2013-0169)\n\n - A buffer overflow condition exists related to NTLM\n authentication. Note this issue does not affect 32-bit\n builds.(CVE-2013-1762)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.stunnel.org/?page=sdf_ChangeLog\");\n # http://www.stunnel.org/pipermail/stunnel-announce/2013-March/000072.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0bf4f9d5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.stunnel.org/CVE-2013-1762.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to stunnel version 4.55 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1762\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:stunnel:stunnel\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"stunnel_installed.nasl\");\n script_require_keys(\"installed_sw/stunnel\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = 'stunnel';\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\nversion = install[\"version\"];\npath = install[\"path\"];\n\n# Affected 4.21 >= stunnel < 4.55\nif (version =~ \"^4\\.(2[1-9]|[34][0-9]|5[0-4])($|[^0-9])\")\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 4.55\\n';\n security_report_v4(severity:SECURITY_WARNING, port:port, extra:report);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:29:54", "description": "The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169. (CVE-2016-2107)", "cvss3": {}, "published": "2016-11-21T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : OpenSSL vulnerability (K93600123)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2016-2107"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:f5:big-ip_access_policy_manager", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/h:f5:big-ip", "cpe:/h:f5:big-ip_protocol_security_manager"], "id": "F5_BIGIP_SOL93600123.NASL", "href": "https://www.tenable.com/plugins/nessus/94986", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K93600123.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94986);\n script_version(\"3.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2013-0169\", \"CVE-2016-2107\");\n script_bugtraq_id(57778);\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"F5 Networks BIG-IP : OpenSSL vulnerability (K93600123)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before\n1.0.2h does not consider memory allocation during a certain padding\ncheck, which allows remote attackers to obtain sensitive cleartext\ninformation via a padding-oracle attack against an AES CBC session,\nNOTE: this vulnerability exists because of an incorrect fix for\nCVE-2013-0169. (CVE-2016-2107)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.f5.com/csp/article/K93600123\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K93600123.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/21\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K93600123\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"12.0.0-12.1.2\",\"11.6.0-11.6.1\",\"11.5.0-11.5.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"12.0.0-12.1.2\",\"11.6.0-11.6.1\",\"11.5.0-11.5.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\",\"12.0.0-12.1.2\",\"11.6.0-11.6.1\",\"11.5.0-11.5.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\",\"11.4.0-11.6.1\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.0.0-12.1.2\",\"11.6.1HF2\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\",\"12.0.0-12.1.2\",\"11.6.0-11.6.1\",\"11.5.0-11.5.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"12.0.0-12.1.2\",\"11.6.0-11.6.1\",\"11.5.0-11.5.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\",\"11.6.0-11.6.1\",\"11.5.0-11.5.4\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.1HF1\",\"11.5.4HF3\",\"11.6.1HF1\",\"11.5.4HF3\",\"11.6.1HF1\",\"11.5.4HF3\",\"11.6.1HF1\",\"11.5.4HF3\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\",\"12.0.0-12.1.2\",\"11.6.0-11.6.1\",\"11.5.0-11.5.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\",\"12.0.0-12.1.2\",\"11.6.0-11.6.1\",\"11.5.0-11.5.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"11.2.1\",\"10.2.1-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\",\"12.0.0-12.1.2\",\"11.6.0-11.6.1\",\"11.5.0-11.5.4\",\"12.0.0-12.1.1\",\"11.6.0-11.6.1\",\"11.4.0-11.5.4\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2HF1\",\"11.6.1HF1\",\"11.5.4HF3\",\"13.0.0\",\"12.1.2\",\"11.6.1HF1\",\"11.5.4HF3\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_note(port:0, extra:bigip_report_get());\n else security_note(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:34:56", "description": "It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-0169)\n\nA NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially- crafted response. (CVE-2013-0166)\n\nIt was discovered that the TLS/SSL protocol could leak information about plain text when optional compression was used. An attacker able to control part of the plain text sent over an encrypted TLS/SSL connection could possibly use this flaw to recover other portions of the plain text. (CVE-2012-4929)\n\nNote: This update disables zlib compression, which was previously enabled in OpenSSL by default. Applications using OpenSSL now need to explicitly enable zlib compression to use it.\n\nIt was found that OpenSSL read certain environment variables even when used by a privileged (setuid or setgid) application. A local attacker could use this flaw to escalate their privileges. No application shipped with Scientific Linux 5 and 6 was affected by this problem.\n\nFor the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted.", "cvss3": {}, "published": "2013-03-05T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : openssl on SL5.x, SL6.x i386/x86_64 (20130304)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-4929", "CVE-2013-0166", "CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:openssl", "p-cpe:/a:fermilab:scientific_linux:openssl-debuginfo", "p-cpe:/a:fermilab:scientific_linux:openssl-devel", "p-cpe:/a:fermilab:scientific_linux:openssl-perl", "p-cpe:/a:fermilab:scientific_linux:openssl-static", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20130304_OPENSSL_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/65022", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65022);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2012-4929\", \"CVE-2013-0166\", \"CVE-2013-0169\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Scientific Linux Security Update : openssl on SL5.x, SL6.x i386/x86_64 (20130304)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"It was discovered that OpenSSL leaked timing information when\ndecrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode\ncipher suites were used. A remote attacker could possibly use this\nflaw to retrieve plain text from the encrypted packets by using a\nTLS/SSL or DTLS server as a padding oracle. (CVE-2013-0169)\n\nA NULL pointer dereference flaw was found in the OCSP response\nverification in OpenSSL. A malicious OCSP server could use this flaw\nto crash applications performing OCSP verification by sending a\nspecially- crafted response. (CVE-2013-0166)\n\nIt was discovered that the TLS/SSL protocol could leak information\nabout plain text when optional compression was used. An attacker able\nto control part of the plain text sent over an encrypted TLS/SSL\nconnection could possibly use this flaw to recover other portions of\nthe plain text. (CVE-2012-4929)\n\nNote: This update disables zlib compression, which was previously\nenabled in OpenSSL by default. Applications using OpenSSL now need to\nexplicitly enable zlib compression to use it.\n\nIt was found that OpenSSL read certain environment variables even when\nused by a privileged (setuid or setgid) application. A local attacker\ncould use this flaw to escalate their privileges. No application\nshipped with Scientific Linux 5 and 6 was affected by this problem.\n\nFor the update to take effect, all services linked to the OpenSSL\nlibrary must be restarted, or the system rebooted.\");\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1303&L=scientific-linux-errata&T=0&P=1414\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de223d65\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:openssl-static\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"openssl-0.9.8e-26.el5_9.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"openssl-debuginfo-0.9.8e-26.el5_9.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"openssl-devel-0.9.8e-26.el5_9.1\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"openssl-perl-0.9.8e-26.el5_9.1\")) flag++;\n\nif (rpm_check(release:\"SL6\", reference:\"openssl-1.0.0-27.el6_4.2\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"openssl-debuginfo-1.0.0-27.el6_4.2\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"openssl-devel-1.0.0-27.el6_4.2\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"openssl-perl-1.0.0-27.el6_4.2\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"openssl-static-1.0.0-27.el6_4.2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl / openssl-debuginfo / openssl-devel / openssl-perl / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:34:17", "description": "Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly handled certain crafted CBC data when used with AES-NI. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10. (CVE-2012-2686)\n\nStephen Henson discovered that OpenSSL incorrectly performed signature verification for OCSP responses. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service.\n(CVE-2013-0166)\n\nNadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used in OpenSSL was vulnerable to a timing side-channel attack known as the 'Lucky Thirteen' issue. A remote attacker could use this issue to perform plaintext-recovery attacks via analysis of timing data.\n(CVE-2013-0169).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2013-02-22T00:00:00", "type": "nessus", "title": "Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : openssl vulnerabilities (USN-1732-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-2686", "CVE-2013-0166", "CVE-2013-0169"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libssl0.9.8", "p-cpe:/a:canonical:ubuntu_linux:libssl1.0.0", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "cpe:/o:canonical:ubuntu_linux:11.10", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts", "cpe:/o:canonical:ubuntu_linux:12.10", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts"], "id": "UBUNTU_USN-1732-1.NASL", "href": "https://www.tenable.com/plugins/nessus/64798", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1732-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64798);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2012-2686\", \"CVE-2013-0166\", \"CVE-2013-0169\");\n script_bugtraq_id(57755, 57778);\n script_xref(name:\"USN\", value:\"1732-1\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0547\");\n\n script_name(english:\"Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : openssl vulnerabilities (USN-1732-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\");\n script_set_attribute(attribute:\"description\", value:\n\"Adam Langley and Wolfgang Ettlingers discovered that OpenSSL\nincorrectly handled certain crafted CBC data when used with AES-NI. A\nremote attacker could use this issue to cause OpenSSL to crash,\nresulting in a denial of service. This issue only affected Ubuntu\n12.04 LTS and Ubuntu 12.10. (CVE-2012-2686)\n\nStephen Henson discovered that OpenSSL incorrectly performed signature\nverification for OCSP responses. A remote attacker could use this\nissue to cause OpenSSL to crash, resulting in a denial of service.\n(CVE-2013-0166)\n\nNadhem Alfardan and Kenny Paterson discovered that the TLS protocol as\nused in OpenSSL was vulnerable to a timing side-channel attack known\nas the 'Lucky Thirteen' issue. A remote attacker could use this issue\nto perform plaintext-recovery attacks via analysis of timing data.\n(CVE-2013-0169).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://usn.ubuntu.com/1732-1/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected libssl0.9.8 and / or libssl1.0.0 packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libssl0.9.8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libssl1.0.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2022 Canonical, Inc. / NASL script (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(8\\.04|10\\.04|11\\.10|12\\.04|12\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04 / 10.04 / 11.10 / 12.04 / 12.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libssl0.9.8\", pkgver:\"0.9.8g-4ubuntu3.20\")) flag++;\nif (ubuntu_check(osver:\"10.04\", pkgname:\"libssl0.9.8\", pkgver:\"0.9.8k-7ubuntu8.14\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"libssl1.0.0\", pkgver:\"1.0.0e-2ubuntu4.7\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"libssl1.0.0\", pkgver:\"1.0.1-4ubuntu5.6\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"libssl1.0.0\", pkgver:\"1.0.1c-3ubuntu2.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libssl0.9.8 / libssl1.0.0\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "f5": [{"lastseen": "2021-06-08T18:44:24", "description": "Vulnerability Recommended Actions\n\n * BIG-IP\n * FirePass\n * Enterprise Manager\n * ARX\n\n**BIG-IP**\n\nThe following section describes affected BIG-IP components and how to protect those components from potential exploit.\n\nMitigating the exploit for the MGMT interface and the Configuration utility\n\nThe BIG-IP Configuration utility is vulnerable. To mitigate potential exploit,\u00c2 F5 recommends that you limit network access to the management\u00c2 (MGMT) interface to a secure, management-only network.\n\nYou can change the default cipher string for the BIG-IP Configuration utility. For example, to change the cipher string for the Configuration utility to use the RC4-SHA cipher, refer to the following commands:\n\nBIG-IP 10.x - 11.x\n\ntmsh modify /sys httpd ssl-ciphersuite RC4-SHA\n\nMitigating the exploit for SSL/TLS virtual servers\n\nTo\u00c2 mitigate potential exploit for SSL/TLS virtual servers, you can configure the SSL profile to prefer non-CBC ciphers. To do so, perform the following steps:\n\n**Impact of workaround:** Changing the ciphers supported by the SSL profile may result in clients being unable to establish an SSL connection.\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **Local Traffic** > **Profiles**.\n 3. In the **SSL** list, choose **Client**.\n 4. Click **Create**.\n 5. Type a name for the **SSL** profile.\n 6. In the **Parent Profile** list, choose **clientssl**.\n 7. In the **Configuration** list, choose **Advanced**.\n 8. Click the **Custom** box for **Ciphers**.\n 9. From the **Ciphers** box, delete the DEFAULT cipher string.\n 10. In the **Ciphers** box, enter the desired cipher string. \n\nFor BIG-IP 11.5.0 and later, configure the cipher string to prefer non-CBC ciphers. For example, the following string configures the SSL profile to prefer AES-GCM ciphers first, then RC4-SHA ciphers, before resorting to the DEFAULT string, which contains CBC ciphers:\n\nAES-GCM:RC4-SHA:DEFAULT\n\nFor BIG-IP 11.4.0 and earlier, the following cipher string configures the SSL profile to prefer RC4-SHA before resorting to the DEFAULT string, which contains CBC ciphers:\n\nRC4-SHA:DEFAULT\n\n 11. Click **Finished**.\n 12. You must now associate the SSL profile with the virtual server.\n\n**FirePass**\n\nTo protect the FirePass Controller Administrator interface from potential exploit, perform the following procedure:\n\n**Changing the cipher string for the FirePass Administrator interface**\n\n**Impact of procedure**: Changing the cipher string may prevent some connections to the Administrator interface.\n\n 1. Log in to the FirePass Administrator interface.\n 2. Navigate to **Device Management** >** Security** > **User Access Security page **> **SSL Cipher Security**.\n 3. Click **Medium-Grade Security**.\n 4. Click **Apply**.\n\n**Enterprise Manager**\n\nTo protect the Enterprise Manager Configuration utility from potential exploit, F5 recommends that you limit network access to the MGMT\u00c2 interface to a secure, management-only network.\n\nYou can also change the default cipher string for the Enterprise Manager Configuration utility. For example, to change the cipher string for the Configuration utility to use the RC4-SHA cipher, refer to the following commands:\n\nEnterprise Manager 3.x\n\ntmsh modify /sys httpd ssl-ciphersuite RC4-SHA\n\nEnterprise Manager 2.x\n\nbigpipe httpd sslciphersuite RC4-SHA\n\n**ARX**\n\nThe following section describes how to protect the ARX Manager GUI from potential exploit (6.2.0 and later).\n\n**Changing the ARX Manager GUI cipher string (6.2.0 and later)**\n\n**Impact of procedure:** Changing the cipher string may prevent some connections to the ARX Manager GUI.\n\n 1. Log in to the ARX CLI.\n 2. Enable privileged mode by typing the following command: \n\nenable\n\n 3. Enable config mode by typing the following command: \n\nconfig\n\n 4. Enter ssl mode by typing the following command: \n\nssl\n\n 5. Change the cipher string by typing the following command \n\ncipher ssl-rsa-with-rc4-128-sha\u00c2 \n\n 6. Exit the menu by typing the following command: \n\nend\n\nAcknowledgements\n\nF5 would like to acknowledge Nadhem J. AlFardan and Kenneth G. Paterson of the Information Security Group Royal Holloway, University of London for bringing this issue to our attention, and for following the highest standards of responsible disclosure.\n\nSupplemental Information\n\n * <http://www.isg.rhul.ac.uk/tls/>\n\n**Note**: This link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\n * SOL8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles\n * SOL13405: Restricting Configuration utility access to clients using high encryption SSL ciphers (11.x)\n * SOL6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x)\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL9502: BIG-IP hotfix matrix\n * SOL10322: FirePass hotfix matrix\n * SOL12766: ARX hotfix matrix\n", "cvss3": {}, "published": "2013-02-08T00:00:00", "type": "f5", "title": "SOL14190 - TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2016-09-28T00:00:00", "id": "SOL14190", "href": "http://support.f5.com/kb/en-us/solutions/public/14000/100/sol14190.html", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2023-04-03T10:29:52", "description": "A vulnerability exists in the TLS and DTLS protocols that may allow an attacker to recover plaintext from TLS/DTLS connections that use CBC-mode encryption. ([CVE-2013-0169](<https://vulners.com/cve/CVE-2013-0169>))\n\n**Note**: Stream ciphers, such as RC4, are not vulnerable to this issue.\n\nImpact\n\nThe vulnerability may allow an attacker to recover plaintext from TLS/DTLS connections.\n", "cvss3": {}, "published": "2015-04-30T23:32:00", "type": "f5", "title": "TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2020-01-24T15:24:00", "id": "F5:K14190", "href": "https://support.f5.com/csp/article/K14190", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-10-12T02:11:18", "description": " \n\n\nThe _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169. ([CVE-2013-2116](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2116>)) \n\n\nImpact \n\n\nNone. No F5 products are affected by this vulnerability. \n\n\n**Note**: F5 Product Development has determined that BIG-IP, BIG-IQ, and Enterprise Manager versions ship with vulnerable GnuTLS code. However, the vulnerable code is not used as a server or to make outgoing connections, and is not exploitable.\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "cvss3": {}, "published": "2014-10-06T23:13:00", "type": "f5", "title": "GnuTLS vulnerability CVE-2013-2116", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-2116"], "modified": "2016-01-09T02:20:00", "id": "F5:K15637", "href": "https://support.f5.com/csp/article/K15637", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2021-06-08T18:49:04", "description": "Vulnerability Recommended Actions\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists. \n\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "cvss3": {}, "published": "2014-09-25T00:00:00", "type": "f5", "title": "SOL15630 - TLS in Mozilla NSS vulnerability CVE-2013-1620", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1620"], "modified": "2016-07-25T00:00:00", "id": "SOL15630", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15630.html", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-11-09T00:10:02", "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "cvss3": {}, "published": "2014-10-23T00:00:00", "type": "f5", "title": "SOL15721 - GnuTLS vulnerability CVE-2013-1619", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1619"], "modified": "2014-10-23T00:00:00", "id": "SOL15721", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/700/sol15721.html", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-06-08T18:45:12", "description": "2 IPsec is vulnerable only in phase 1 IKE (racoon), if configured to use AES-CBC.\n\nVulnerability Recommended Actions\n\nIf you are running a version listed in the** Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP\n\nTo mitigate this vulnerability, you should consider the following recommendations: \n \nIf SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:\n\n * SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)\n * SOL13171: Configuring the cipher strength for SSL profiles (11.x)\n * SOL13187: COMPAT SSL ciphers are no longer included in standard cipher strings\n\nTo mitigate this vulnerability for IPsec implementations, you should restrict access to the IPsec tunnel to minimize exposure, and/or consider using an IKE Phase 1 Algorithm other than AES to avoid the vulnerable code. \n \n**Impact of workaround**: F5 recommends testing any such changes in an appropriate environment.\n\nTo minimize risk, access to the management interface should be restricted to minimize exposure to control-plane daemons.\n\nTo confirm support for AES-NI, on any running platform, perform the following procedure:\n\n 1. Log in to the BIG-IP command line.\n 2. Determine CPU support for AES-NI instructions by typing the following command: \n \ncat /proc/cpuinfo | grep '^flags' | grep aes \n \nIf nothing is returned, the CPU does not support AES-NI, and is therefore not vulnerable.\nBIG-IQ/Enterprise Manager\n\nTo minimize risk, access to the management interface should be restricted to minimize exposure to control-plane daemons.\n\nARX\n\nTo mitigate this vulnerability, you should permit access to the ARX GUI only over a secure network.\n\nLineRate\n\nTo mitigate this vulnerability, you can disable AES-NI processor support in the BIOS or hypervisor. \n \n**Impact of workaround**: System performance will be negatively impacted by disabling this feature.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL9502: BIG-IP hotfix matrix\n", "cvss3": {}, "published": "2016-05-06T00:00:00", "type": "f5", "title": "SOL93600123 - OpenSSL vulnerability CVE-2016-2107", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2016-2107"], "modified": "2016-11-18T00:00:00", "id": "SOL93600123", "href": "http://support.f5.com/kb/en-us/solutions/public/k/93/sol93600123.html", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2023-06-27T09:08:23", "description": "The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. ([CVE-2013-1620](<https://vulners.com/cve/CVE-2013-1620>))\n\nImpact\n\nNSS is installed; however, it is only used by RPM for fetching packages over HTTPS, which is not supported in BIG-IP or Enterprise Manager systems.\n", "cvss3": {}, "published": "2014-09-25T22:56:00", "type": "f5", "title": "TLS in Mozilla NSS vulnerability CVE-2013-1620", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1620"], "modified": "2017-03-14T19:05:00", "id": "F5:K15630", "href": "https://support.f5.com/csp/article/K15630", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2016-11-09T00:09:29", "description": "Recommended action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "cvss3": {}, "published": "2014-10-06T00:00:00", "type": "f5", "title": "SOL15637 - GnuTLS vulnerability CVE-2013-2116", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-2116"], "modified": "2014-10-16T00:00:00", "id": "SOL15637", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15637.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-11-15T03:21:15", "description": "\nF5 Product Development has assigned IDs 591042, 591325, 591327, 591328, and 591329 (BIG-IP), ID 594024 (BIG-IQ and F5 iWorkflow), ID 594030 (Enterprise Manager), ID 500324 (ARX), and LRS-60732 (LineRate) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth>) may list Heuristic H591062-2 on the **Diagnostics** > **Identified** > **Medium** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.5.0 - 11.5.4 | 13.0.0 \n12.1.2 HF1 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node) \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Big3D1 \nBIG-IP AAM | 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.5.0 - 11.5.4 | 13.0.0 \n12.1.2 HF1 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node) \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Big3D1 \nBIG-IP AFM | 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.5.0 - 11.5.4 | 13.0.0 \n12.1.2 HF1 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node) \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Big3D1 \nBIG-IP Analytics | 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.5.0 - 11.5.4 | 13.0.0 \n12.1.2 HF1 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node) \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Big3D1 \nBIG-IP APM | 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.5.0 - 11.5.4 | 13.0.0 \n12.1.2 HF1 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node) \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Big3D1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.1 HF2 | Medium | Oracle SDK for OAM \nBIG-IP ASM | 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.5.0 - 11.5.4 | 13.0.0 \n12.1.2 HF1 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node) \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Big3D1 \nBIG-IP DNS | 12.0.0 - 12.1.1 | 13.0.0 \n12.1.2 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n12.0.0 - 12.1.1 | 13.0.0 \n12.1.2 | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n12.0.0 - 12.1.2 | 13.0.0 \n12.1.2 HF1 | Medium | iAppsLX1 (f5-rest-node) \n12.0.0 - 12.1.1 | 13.0.0 \n12.1.2 | Medium | Big3D1 \nBIG-IP Edge Gateway | 11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Data Plane1: COMPAT SSL/TLS ciphers \nBIG-IP GTM | 11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 11.6.1 HF1 \n11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 11.6.1 HF1 \n11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n11.6.0 - 11.6.1 \n11.5.0 - 11.5.4 | 11.6.1 HF1 \n11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node) \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 11.6.1 HF1 \n11.5.4 HF3 | Medium | Big3D1 \nBIG-IP Link Controller | 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.5.0 - 11.5.4 | 13.0.0 \n12.1.2 HF1 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node) \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 \n11.2.1 \n10.2.1 - 10.2.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Big3D1 \nBIG-IP PEM | 12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 \n11.5.0 - 11.5.4 | 13.0.0 \n12.1.2 HF1 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node) \n12.0.0 - 12.1.1 \n11.6.0 - 11.6.1 \n11.4.0 - 11.5.4 | 13.0.0 \n12.1.2 \n11.6.1 HF1 \n11.5.4 HF3 | Medium | Big3D1 \nBIG-IP PSM | 11.4.0 - 11.4.1 \n11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n11.4.0 - 11.4.1 \n11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n11.4.0 - 11.4.1 \n11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Big3D1 \nBIG-IP WebAccelerator | 11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Big3D1 \nBIG-IP WOM | 11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX \n11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Data Plane1: COMPAT SSL/TLS ciphers \n11.2.1 \n10.2.1 - 10.2.4 | None | Medium | Big3D1 \nARX | 6.2.0 - 6.4.0 | None | Medium | OpenSSL (when accessing the ARX management IP) \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nFirePass | None | 7.0.0 | Not vulnerable | None \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Medium | OpenSSL1 \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Medium | OpenSSL1 \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Medium | OpenSSL1 \nBIG-IQ ADC | 4.5.0 | None | Medium | OpenSSL1 \nBIG-IQ Centralized Management | 5.0.0 \n4.6.0 | 5.1.0 | Medium | OpenSSL1 \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | OpenSSL1 \nF5 iWorkflow | 2.0.0 | 2.0.1 | Medium | OpenSSL1 \nLineRate | 2.2.0 - 2.6.1 | 2.0 - 2.1 \n1.6.3 | High | OpenSSL \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | Not vulnerable | None \n \n1 Only F5 platforms with AES-NI support in the CPU are vulnerable. Virtual Edition (VE) installations may or may not be vulnerable, depending on the underlying CPU and hypervisor support for AES-NI instructions. The following hardware platforms are vulnerable:\n\n * **BIG-IP appliances**: 2000s (C112), 2200s (C112), 4000s (C113), 4200v (C113), 5000s (C109), 5050s (C109), 5200v (C109), 5250v (C109), 5250v FIPS (C109), 7000s (D110), 7050s (D110), 7200v (D110), 7200v FIPS (D110), 7250v (D110), 10000s (D113), 10050s (D113), 10055s (D113), 10150s NEBS (D112), 10200v (D113), 10200v FIPS (D113), 10200v SSL (D113), 10250v (D113), 10255v (D113), 10350v (D112), 10350v NEBS (D112), 11050 NEBS (E102), and 12250v (D111)\n * **VIPRION blades**: B2250 (A112), B4300 (A108), and B4340N NEBS (A110)\n\n2 IPsec is vulnerable only in phase 1 IKE (racoon), if configured to use AES-CBC.\n\nIf you are running a version listed in the** Versions known to be vulnerable **column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP\n\nTo mitigate this vulnerability, you should consider the following recommendations:\n\nIf SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:\n\n * [K13163: SSL ciphers supported on BIG-IP platforms (11.x - 13.x)](<https://support.f5.com/csp/article/K13163>)\n * [K13171: Configuring the cipher strength for SSL profiles (11.x)](<https://support.f5.com/csp/article/K13171>)\n * [K13187: COMPAT SSL ciphers are no longer included in standard cipher strings](<https://support.f5.com/csp/article/K13187>)\n\nTo mitigate this vulnerability for IPsec implementations, you should restrict access to the IPsec tunnel to minimize exposure, and/or consider using an IKE Phase 1 Algorithm other than AES to avoid the vulnerable code.\n\n**Impact of workaround**: F5 recommends that you test any such changes in an appropriate environment.\n\nTo minimize risk, access to the management interface should be restricted to minimize exposure to control-plane daemons.\n\nTo confirm support for AES-NI, on any running platform, perform the following procedure:\n\n 1. Log in to the BIG-IP command line.\n 2. Determine CPU support for AES-NI instructions by typing the following command: \n\ncat /proc/cpuinfo | grep '^flags' | grep aes\n\nIf nothing is returned, the CPU does not support AES-NI, and is therefore not vulnerable.\n\nBIG-IQ/Enterprise Manager\n\nTo minimize risk, you should restrict access to the management interface to minimize exposure to control-plane daemons.\n\nARX\n\nTo mitigate this vulnerability, you should permit access to the ARX GUI only over a secure network.\n\nLineRate\n\nTo mitigate this vulnerability, you can disable AES-NI processor support in the BIOS or hypervisor.\n\n**Impact of workaround**: System performance will be negatively impacted by disabling this feature.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n", "cvss3": {}, "published": "2016-05-07T03:39:00", "type": "f5", "title": "OpenSSL vulnerability CVE-2016-2107", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2016-2107"], "modified": "2018-04-20T21:49:00", "id": "F5:K93600123", "href": "https://support.f5.com/csp/article/K93600123", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-06-08T00:16:09", "description": "\nF5 Product Development has assigned ID 480121 to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM | None \n| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4 \n| None \nBIG-IP AAM | None | 11.4.0 - 11.6.0 \n| None \nBIG-IP AFM | None | 11.3.0 - 11.6.0 \n| None \nBIG-IP Analytics | None | 11.0.0 - 11.6.0 \n| None \nBIG-IP APM | None | 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4 \n| None \nBIG-IP ASM | None | 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4 | None \nBIG-IP Edge Gateway \n| None | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 \n| None \nBIG-IP GTM | None | 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4 \n| None \nBIG-IP Link Controller | None \n| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4 \n| None \nBIG-IP PEM | None \n| 11.3.0 - 11.6.0 \n| None \nBIG-IP PSM | None | 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4 \n| None \nBIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4 \n| None \nBIG-IP WOM | None | 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4 \n| None \nARX | None | 6.0.0 - 6.4.0 \n| None \nEnterprise Manager | None | 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0 \n| None \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 \n| None \nBIG-IQ Cloud | None \n| 4.0.0 - 4.4.0 \n| None \nBIG-IQ Device | None \n| 4.2.0 - 4.4.0 \n| None \nBIG-IQ Security | None \n| 4.0.0 - 4.4.0 \n| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "cvss3": {}, "published": "2014-09-25T04:54:00", "type": "f5", "title": "wolfSSL CyaSSL vulnerability CVE-2013-1623", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1623", "CVE-2013-0169"], "modified": "2017-03-14T18:55:00", "id": "F5:K15622", "href": "https://support.f5.com/csp/article/K15622", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "slackware": [{"lastseen": "2019-05-30T07:37:28", "description": "New openssl packages are available for Slackware 14.0, and -current to\nfix a bug in openssl-1.0.1d.\n\n\nHere are the details from the Slackware 14.0 ChangeLog:\n\npatches/packages/openssl-1.0.1e-i486-1_slack14.0.txz: Upgraded.\n This release fixes a regression in openssl-1.0.1d, where the fix for\n CVE-2013-0169 caused data corruption on CPUs with AES-NI support.\npatches/packages/openssl-solibs-1.0.1e-i486-1_slack14.0.txz: Upgraded.\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1e-i486-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1e-i486-1_slack14.0.txz\n\nUpdated packages for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1e-x86_64-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1e-x86_64-1_slack14.0.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.1e-i486-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.1e-i486-1.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.1e-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.1e-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 packages:\n4df2d704e649667ef04093faa6920bba openssl-1.0.1e-i486-1_slack14.0.txz\n3525b7c4d2e1e54851080f731d70a835 openssl-solibs-1.0.1e-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 packages:\n1e1f09edce11cac2ffcff4b2324fb532 openssl-1.0.1e-x86_64-1_slack14.0.txz\n23c1ff47378361c758fb49d1b005eb13 openssl-solibs-1.0.1e-x86_64-1_slack14.0.txz\n\nSlackware -current packages:\n1dce1d27bc6dba3f1acd61972b0f2c63 a/openssl-solibs-1.0.1e-i486-1.txz\n3ef010a9da36b042d6724ebf00061192 n/openssl-1.0.1e-i486-1.txz\n\nSlackware x86_64 -current packages:\n9ef4661b4072028e2fe656d3ba3ed590 a/openssl-solibs-1.0.1e-x86_64-1.txz\n0c3bbbb3a280a36081e50b619ae292e4 n/openssl-1.0.1e-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg openssl-1.0.1e-i486-1_slack14.0.txz openssl-solibs-1.0.1e-i486-1_slack14.0.txz", "cvss3": {}, "published": "2013-02-11T23:49:59", "type": "slackware", "title": "openssl", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2013-0169"], "modified": "2013-02-11T23:49:59", "id": "SSA-2013-042-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.411625", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}], "openssl": [{"lastseen": "2023-10-01T06:52:00", "description": " A weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS which could lead to plaintext recovery by exploiting timing differences arising during MAC processing.\n", "cvss3": {}, "published": "2013-02-04T00:00:00", "type": "openssl", "title": "Vulnerability in OpenSSL - SSL, TLS and DTLS Plaintext Recovery Attack ", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2013-02-04T00:00:00", "id": "OPENSSL:CVE-2013-0169", "href": "https://www.openssl.org/news/secadv/20130205.txt", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-10-01T06:37:52", "description": " A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-05-03T00:00:00", "type": "openssl", "title": "Vulnerability in OpenSSL - Padding oracle in AES-NI CBC MAC check ", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2016-2107"], "modified": "2016-05-03T00:00:00", "id": "OPENSSL:CVE-2016-2107", "href": "https://www.openssl.org/news/secadv/20160503.txt", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}], "hackerone": [{"lastseen": "2023-09-03T22:08:43", "bounty": 0.0, "description": "Hello security team,\n\nThe site legalrobot.com is potentially vulnerable to the Lucky13.\n\nReference: \n---------\nhttps://bugzilla.redhat.com/show_bug.cgi?id=907589", "cvss3": {}, "published": "2017-07-30T20:00:47", "type": "hackerone", "title": "Legal Robot: LUCKY13 (CVE-2013-0169) effects legalrobot.com", "bulletinFamily": "bugbounty", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2017-07-30T20:13:10", "id": "H1:255041", "href": "https://hackerone.com/reports/255041", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}], "debiancve": [{"lastseen": "2023-10-01T12:07:24", "description": "The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue.", "cvss3": {}, "published": "2013-02-08T19:55:00", "type": "debiancve", "title": "CVE-2013-0169", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169"], "modified": "2013-02-08T19:55:00", "id": "DEBIANCVE:CVE-2013-0169", "href": "https://security-tracker.debian.org/tracker/CVE-2013-0169", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-30T00:03:27", "description": "The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.", "cvss3": {}, "published": "2013-02-08T19:55:00", "type": "debiancve", "title": "CVE-2013-1620", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1620"], "modified": "2013-02-08T19:55:00", "id": "DEBIANCVE:CVE-2013-1620", "href": "https://security-tracker.debian.org/tracker/CVE-2013-1620", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-10-01T12:07:24", "description": "The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.", "cvss3": {}, "published": "2013-02-08T19:55:00", "type": "debiancve", "title": "CVE-2013-1624", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1624"], "modified": "2013-02-08T19:55:00", "id": "DEBIANCVE:CVE-2013-1624", "href": "https://security-tracker.debian.org/tracker/CVE-2013-1624", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-06-03T14:42:12", "description": "The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2016-05-05T01:59:00", "type": "debiancve", "title": "CVE-2016-2107", "bulletinFamily": "info", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2016-2107"], "modified": "2016-05-05T01:59:00", "id": "DEBIANCVE:CVE-2016-2107", "href": "https://security-tracker.debian.org/tracker/CVE-2016-2107", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-30T13:05:48", "description": "The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.", "cvss3": {}, "published": "2013-02-08T19:55:00", "type": "debiancve", "title": "CVE-2013-1619", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2013-1619"], "modified": "2013-02-08T19:55:00", "id": "DEBIANCVE:CVE-2013-1619", "href": "https://security-tracker.debian.org/tracker/CVE-2013-1619", "cvss": {"score": 4.0, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2023-06-23T14:39:17", "description": "ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote attackers to achieve partial plaintext recovery (for a CBC based ciphersuite) via a timing-based side-channel attack. This vulnerability exists because of an incorrect fix (with a wrong SHA-384 calculation) for CVE-2013-0169.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-28T17:29:00", "type": "debiancve", "title": "CVE-2018-0497", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-0169", "CVE-2018-0497"], "modified": "2018-07-28T17:29:00", "id": "DEBIANCVE:CVE-2018-0497", "href": "https://security-tracker.debian.org/tracker/CVE-2018-0497", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2018-02-06T13:10:42", "description": "Check for the Version of openssl", "cvss3": {}, "published": "2013-03-05T00:00:00", "type": "openvas", "title": "Fedora Update for openssl FEDORA-2013-2834", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0166", "CVE-2013-0169"], "modified": "2018-02-05T00:00:00", "id": "OPENVAS:865421", "href": "http://plugins.openvas.org/nasl.php?oid=865421", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for openssl FEDORA-2013-2834\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"openssl on Fedora 18\";\ntag_insight = \"The OpenSSL toolkit provides support for secure communications between\n machines. OpenSSL includes a certificate management tool and shared\n libraries which provide various cryptographic algorithms and\n protocols.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099470.html\");\n script_id(865421);\n script_version(\"$Revision: 8672 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-05 17:39:18 +0100 (Mon, 05 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-05 09:41:43 +0530 (Tue, 05 Mar 2013)\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-0166\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2013-2834\");\n script_name(\"Fedora Update for openssl FEDORA-2013-2834\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of openssl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~1.0.1e~3.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:51:29", "description": "Check for the Version of java", "cvss3": {}, "published": "2013-02-22T00:00:00", "type": "openvas", "title": "CentOS Update for java CESA-2013:0273 centos6 ", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:881606", "href": "http://plugins.openvas.org/nasl.php?oid=881606", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for java CESA-2013:0273 centos6 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"These packages provide the OpenJDK 6 Java Runtime Environment and the\n OpenJDK 6 Software Development Kit.\n\n An improper permission check issue was discovered in the JMX component in\n OpenJDK. An untrusted Java application or applet could use this flaw to\n bypass Java sandbox restrictions. (CVE-2013-1486)\n \n It was discovered that OpenJDK leaked timing information when decrypting\n TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.\n A remote attacker could possibly use this flaw to retrieve plain text from\n the encrypted packets by using a TLS/SSL server as a padding oracle.\n (CVE-2013-0169)\n \n Note: If the web browser plug-in provided by the icedtea-web package was\n installed, CVE-2013-1486 could have been exploited without user interaction\n if a user visited a malicious website.\n \n This erratum also upgrades the OpenJDK package to IcedTea6 1.11.8. Refer to\n the NEWS file, linked to in the References, for further information.\n \n All users of java-1.6.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\";\n\n\ntag_solution = \"Please Install the Updated Packages.\";\ntag_affected = \"java on CentOS 6\";\n\n\n\n\nif(description)\n{\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2013-February/019252.html\");\n script_id(881606);\n script_version(\"$Revision: 6655 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:48:58 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 10:05:26 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"CESA\", value: \"2013:0273\");\n script_name(\"CentOS Update for java CESA-2013:0273 centos6 \");\n\n script_summary(\"Check for the Version of java\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.56.1.11.8.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.56.1.11.8.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.56.1.11.8.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.56.1.11.8.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.56.1.11.8.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-05T11:10:29", "description": "Check for the Version of java-1.6.0-openjdk", "cvss3": {}, "published": "2013-02-22T00:00:00", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2013:0274-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2018-02-03T00:00:00", "id": "OPENVAS:870924", "href": "http://plugins.openvas.org/nasl.php?oid=870924", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.6.0-openjdk RHSA-2013:0274-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"These packages provide the OpenJDK 6 Java Runtime Environment and the\n OpenJDK 6 Software Development Kit.\n\n An improper permission check issue was discovered in the JMX component in\n OpenJDK. An untrusted Java application or applet could use this flaw to\n bypass Java sandbox restrictions. (CVE-2013-1486)\n\n It was discovered that OpenJDK leaked timing information when decrypting\n TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.\n A remote attacker could possibly use this flaw to retrieve plain text from\n the encrypted packets by using a TLS/SSL server as a padding oracle.\n (CVE-2013-0169)\n\n This erratum also upgrades the OpenJDK package to IcedTea6 1.11.8. Refer to\n the NEWS file, linked to in the References, for further information.\n\n All users of java-1.6.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\";\n\n\ntag_affected = \"java-1.6.0-openjdk on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2013-February/msg00035.html\");\n script_id(870924);\n script_version(\"$Revision: 8650 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-03 13:16:59 +0100 (Sat, 03 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 10:01:49 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_bugtraq_id(57778, 58029);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"RHSA\", value: \"2013:0274-01\");\n script_name(\"RedHat Update for java-1.6.0-openjdk RHSA-2013:0274-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of java-1.6.0-openjdk\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.35.1.11.8.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.0~1.35.1.11.8.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.35.1.11.8.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.35.1.11.8.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.35.1.11.8.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.35.1.11.8.el5_9\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:36:23", "description": "Oracle Linux Local Security Checks ELSA-2013-0274", "cvss3": {}, "published": "2015-10-06T00:00:00", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2013-0274", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2018-09-28T00:00:00", "id": "OPENVAS:1361412562310123721", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123721", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2013-0274.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123721\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:07:39 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2013-0274\");\n script_tag(name:\"insight\", value:\"ELSA-2013-0274 - java-1.6.0-openjdk security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2013-0274\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2013-0274.html\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.35.1.11.8.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-demo\", rpm:\"java-1.6.0-openjdk-demo~1.6.0.0~1.35.1.11.8.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.35.1.11.8.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.35.1.11.8.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-src\", rpm:\"java-1.6.0-openjdk-src~1.6.0.0~1.35.1.11.8.0.1.el5_9\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:07", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2013-02-22T00:00:00", "type": "openvas", "title": "RedHat Update for java-1.6.0-openjdk RHSA-2013:0273-01", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2013-1486"], "modified": "2018-11-23T00:00:00", "id": "OPENVAS:1361412562310870926", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870926", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for java-1.6.0-openjdk RHSA-2013:0273-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2013-February/msg00034.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870926\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-22 10:01:56 +0530 (Fri, 22 Feb 2013)\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2013-1486\");\n script_bugtraq_id(57778, 58029);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"RHSA\", value:\"2013:0273-01\");\n script_name(\"RedHat Update for java-1.6.0-openjdk RHSA-2013:0273-01\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'java-1.6.0-openjdk'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n script_tag(name:\"affected\", value:\"java-1.6.0-openjdk on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"These packages provide the OpenJDK 6 Java Runtime Environment and the\n OpenJDK 6 Software Development Kit.\n\n An improper permission check issue was discovered in the JMX component in\n OpenJDK. An untrusted Java application or applet could use this flaw to\n bypass Java sandbox restrictions. (CVE-2013-1486)\n\n It was discovered that OpenJDK leaked timing information when decrypting\n TLS/SSL protocol encrypted records when CBC-mode cipher suites were used.\n A remote attacker could possibly use this flaw to retrieve plain text from\n the encrypted packets by using a TLS/SSL server as a padding oracle.\n (CVE-2013-0169)\n\n Note: If the web browser plug-in provided by the icedtea-web package was\n installed, CVE-2013-1486 could have been exploited without user interaction\n if a user visited a malicious website.\n\n This erratum also upgrades the OpenJDK package to IcedTea6 1.11.8. Refer to\n the NEWS file, linked to in the References, for further information.\n\n All users of java-1.6.0-openjdk are advised to upgrade to these updated\n packages, which resolve these issues. All running instances of OpenJDK Java\n must be restarted for the update to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk\", rpm:\"java-1.6.0-openjdk~1.6.0.0~1.56.1.11.8.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-debuginfo\", rpm:\"java-1.6.0-openjdk-debuginfo~1.6.0.0~1.56.1.11.8.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-devel\", rpm:\"java-1.6.0-openjdk-devel~1.6.0.0~1.56.1.11.8.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"java-1.6.0-openjdk-javadoc\", rpm:\"java-1.6.0-openjdk-javadoc~1.6.0.0~1.56.1.11.8.el6_3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-17T23:00:34", "description": "The remote host is missing an update announced via the referenced Security Advisory.", "cvss3": {}, "published": "2015-09-08T00:00:00", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2014-320)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2014-0160"], "modified": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562310120209", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120209", "sourceData": "# Copyright (C) 2015 Eero Volotinen\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120209\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:20:13 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2014-320)\");\n script_tag(name:\"insight\", value:\"The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the Lucky Thirteen issue. The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.\");\n script_tag(name:\"solution\", value:\"Run yum update openssl to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2014-320.html\");\n script_cve_id(\"CVE-2013-0169\", \"CVE-2014-0160\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2015 Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"openssl\", rpm:\"openssl~1.0.1e~37.66.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssl-static\", rpm:\"openssl-static~1.0.1e~37.66.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssl-perl\", rpm:\"openssl-perl~1.0.1e~37.66.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssl-devel\", rpm:\"openssl-devel~1.0.1e~37.66.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"openssl-debuginfo\", rpm:\"openssl-debuginfo~1.0.1e~37.66.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-12-04T11:21:33", "description": "Check for the Version of openssl", "cvss3": {}, "published": "2013-03-28T00:00:00", "type": "openvas", "title": "Ubuntu Update for openssl USN-1732-3", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-0169", "CVE-2012-2686"], "modified": "2017-12-01T00:00:00", "id": "OPENVAS:841378", "href": "http://plugins.openvas.org/nasl.php?oid=841378", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1732_3.nasl 7958 2017-12-01 06:47:47Z santu $\n#\n# Ubuntu Update for openssl USN-1732-3\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed
Security Bulletin: Multiple vulnerabilities in IBM Cognos Express (CVE-2013-5443, CVE-2013-5445, CVE-2013-5444, CVE-2013-2407, CVE-2013-2450, CVE-2013-0169, CVE-2013-1478, CVE-2013-1480)
