CB-K13/0093 Update 26
Risikostufe 3
Titel:SSL, TLS, DTLS: Schwachstelle ermöglicht Umgehen von SicherheitsvorkehrungenDatum:11.04.2022Software:Open Source GnuTLS < 2.12.23, Open Source GnuTLS < 3.0.28, Open Source GnuTLS < 3.1.7, Open Source OpenSSL <= 1.0.1c, Opera Opera Browser < 12.13, F5 ARX 5.3.1, F5 ARX 6.3.0, F5 Advanced Firewall Manager 11.3.0, F5 BIG-IP Access Policy Manager 10.2.4, F5 BIG-IP Access Policy Manager 11.3.0, F5 BIG-IP Analytics 11.3.0, F5 BIG-IP Application Security Manager 10.2.4, F5 BIG-IP Application Security Manager 11.3.0, F5 BIG-IP Application Security Manager 9.4.8, F5 BIG-IP Edge Gateway 10.2.4, F5 BIG-IP Edge Gateway 11.3.0, F5 BIG-IP Global Traffic Manager 10.2.4, F5 BIG-IP Global Traffic Manager 11.3.0, F5 BIG-IP Global Traffic Manager 9.4.8, F5 BIG-IP Link Controller 10.2.4, F5 BIG-IP Link Controller 11.3.0, F5 BIG-IP Link Controller 9.4.8, F5 BIG-IP Local Traffic Manager 10.2.4, F5 BIG-IP Local Traffic Manager 11.3.0, F5 BIG-IP Local Traffic Manager 9.6.1, F5 BIG-IP Protocol Security Manager 10.2.4, F5 BIG-IP Protocol Security Manager 11.3.0, F5 BIG-IP Protocol Security Manager 9.4.8, F5 Enterprise Manager 1.8.0, F5 Policy Enforcement Manager 11.3.0, F5 WAN Optimization Manager 10.2.4, F5 WAN Optimization Manager 11.3.0, F5 WebAccelerator 10.2.4, F5 WebAccelerator 11.3.0, F5 WebAccelerator 9.4.8, IBM HTTP Server 6.1.0.0 - 6.1.0.45, IBM HTTP Server 7.0.0.0 - 7.0.0.27, IBM HTTP Server 8.0.0.0 - 8.0.0.6, IBM HTTP Server 8.5.0.0 - 8.5.0.2, IBM Tivoli Directory Server < 6.0.0.72, IBM Tivoli Directory Server < 6.1.0.55, IBM Tivoli Directory Server < 6.2.0.30, IBM Tivoli Directory Server < 6.3.0.22, IBM WebSphere Application Server 6.1.0.0 - 6.1.0.45, IBM WebSphere Application Server 7.0.0.0 - 7.0.0.27, IBM WebSphere Application Server 8.0.0.0 - 8.0.0.6, IBM WebSphere Application Server 8.5.0.0 - 8.5.0.2, IBM Spectrum Protect 5.5, IBM Spectrum Protect 6.1, IBM Spectrum Protect 6.2, IBM Spectrum Protect 6.3, SUSE Linux, Oracle Solaris 10, Oracle Solaris 11.1, Oracle Solaris 8, Oracle Solaris 9, Arista EOS <= 4.15, Splunk Splunk Enterprise 6.0.12, Splunk Splunk Enterprise 6.1.11, Splunk Splunk Enterprise 6.4.2, Oracle LinuxPlattform:Applicance, Linux, UNIX, WindowsAuswirkung:Umgehen von SicherheitsvorkehrungenRemoteangriff:JaRisiko:mittelCVE Liste:CVE-2013-0169, CVE-2013-1618, CVE-2013-1619, CVE-2013-1620Bezug:
Beschreibung
GnuTLS (GNU Transport Layer Security Library) ist eine im Quelltext frei verfügbare Bibliothek, die Secure Sockets Layer (SSL) und Transport Layer Security (TLS) implementiert. OpenSSL ist eine im Quelltext frei verfügbare Bibliothek, die Secure Sockets Layer (SSL) und Transport Layer Security (TLS) implementiert.
Ein entfernter, anonymer Angreifer aus dem lokalen Netzwerk kann eine Schwachstelle in SSL, TLS und DTLS ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Quellen:
- Forschungsarbeit "Lucky Thirteen: Breaking the TLS and DTLS Record Protocols" vom 2013-02-04
- OpenSSL Security Advisory vom 2013-02-05
- F5 Security Advisory sol14190 vom 2013-02-08
- Debian Security Advisory DSA-2621-1 vom 2013-02-13
- Debian Security Advisory DSA-2622-1 vom 2013-02-13
- Oracle Java SE Critical Patch Update vom 2013-02-19
- Red Hat Security Advisory RHSA-2013:0532-1 vom 2013-02-20
- Red Hat Security Advisory RHSA-2013:0531-1 vom 2013-02-20
- Red Hat Security Advisory RHSA-2013:0275-1 vom 2013-02-20
- Red Hat Security Advisory RHSA-2013:0274-1 vom 2013-02-20
- Red Hat Security Advisory RHSA-2013:0273-1 vom 2013-02-20
- SUSE-SU-2013:0328-1 vom 2013-02-22
- Red Hat Security Advisory RHSA-2013:0588-1 vom 2013-03-04
- Red Hat Security Advisory RHSA-2013:0587-1 vom 2013-03-04
- IBM Support Document #1626523 vom 2013-03-12
- Red Hat Security Advisory RHSA-2013:0636-1 vom 2013-03-13
- IBM SECURITY ADVISORY vom 2013-03-15
- HP SECURITY BULLETIN c03710522 vom 2013-03-21
- HP SECURITY ADVISORY c03710522 vom 2013-03-21
- Ubuntu Security Notice USN-1732-3 vom 2013-03-25
- HP SECURITY BULLETIN HPSBOV02852 SSRT101108 rev.1 vom 2013-03-26
- SUSE Security Update SUSE-SU-2013:0554-1 vom 2013-03-27
- SUSE Security Update SUSE-SU-2013:0549-1 vom 2013-04-02
- IBM Security Bulletin swg21633351 vom 2013-04-04
- SUSE Security Update SUSE-SU-2013:0701-2 vom 2013-04-23
- IBM Alert 1638022 vom 2013-05-24:
- IBM Security Bulletin 1635988 vom 2013-05-30
- IBM Security Bulletin 1638270 vom 2013-05-31
- IBM Security Bulletin 1635983 vom 2013-05-30
- Oracle Blogeintrag "Lucky Thirteen vulnerability in Solaris OpenSSL" vom 2013-06-04
- Oracle Third Party Vulnerability Resolution Blog vom 2013-07-16
- Red Hat Security Advisory RHSA-2013:1135-1 vom 2013-08-05
- IBM Vulnerability vom 2013-08-17
- Red Hat Security Advisory RHSA-2013:1181-1 vom 2013-08-27
- SUSE Security Update SUSE-SU-2013:1386-1 vom 2013-09-10
- IBM Security Bulletin #1644604
- ORACLE Third Party Vulnerability Resolution Blog vom 2013-09-24
- Red Hat Security Advisory RHSA-2013:1791-1 vom 2013-12-05
- Red Hat Security Advisory RHSA-2013:1829-1 vom 2013-12-12
- SUSE Security Update SUSE-SU-2014:0322-1 vom 2014-03-04
- IBM Security Bulletin 1672363 vom 2014-05-08
- SUSE Security Update SUSE-SU-2014:0800 vom 2014-06-16
- Oracle Third Party Vulnerability Resolution Blog Eintrag vom 2014-08-09
- F5 Security Advisory: sol15630
- Oracle Third Party Vulnerability Resolution Blog
- SUSE Security Update SUSE-SU-2015:0578-1 vom 2015-03-23
- Arista Security Advisory 0020 vom 2016-05-06
- Splunk Advisory SP-CAAAPP4 vom 2016-07-14
- Oracle Linux Security Advisory ELSA-2019-4747 vom 2019-08-16
- Oracle Linux Security Advisory ELSA-2021-9150 vom 2021-04-01
- Oracle Linux Security Advisory ELSA-2022-9272 vom 2022-04-08