What is CVE-2013-1620?

CVE-2013-1620 is a vulnerability in Mozilla Network_security_services, classified under Observable Discrepancy. Published 2013-02-08.

Is CVE-2013-1620 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Mozilla Network_security_services

CVE-2013-1620

The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to…

EPSS: 0.009 (75.3th percentile) — read the EPSS interpretation.

Affected products

Mozilla Network_security_services
Oracle Enterprise_manager_ops_center — versions 11.1, 12.1, 12.2
Oracle Glassfish_communications_server — versions 2.0
Oracle Glassfish_server — versions 2.1.1
Oracle Iplanet_web_proxy_server — versions 4.0
Oracle Iplanet_web_server — versions 6.1, 7.0
Oracle Opensso — versions 3.0-03
Oracle Traffic_director — versions 11.1.1.6.0, 11.1.1.7.0
Oracle Vm_server — versions 3.2
Canonical Ubuntu_linux — versions 10.04, 11.10, 12.04

Weakness classification (CWE)

CWE-203 — Observable Discrepancy

Public proof-of-concept exploits

Live-Hack-CVE/CVE-2013-1620

References

cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory)
57777 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_BID)
cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory)
cve@mitre.org (Technical Description, Third Party Advisory, x_refsource_MISC)
openSUSE-SU-2013:0630 (vendor-advisory, x_refsource_SUSE, Broken Link)
[oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities (mailing-list, x_refsource_BUGTRAQ, Third Party Advisory, VDB Entry)
cve@mitre.org (x_refsource_CONFIRM, Third Party Advisory)
USN-1763-1 (x_refsource_UBUNTU, vendor-advisory, Third Party Advisory)
GLSA-201406-19 (vendor-advisory, Third Party Advisory, x_refsource_GENTOO)

Frequently asked questions

What is CVE-2013-1620?: CVE-2013-1620 is a vulnerability in Mozilla Network_security_services, classified under Observable Discrepancy. Published 2013-02-08.
Is CVE-2013-1620 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.