Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 455564 (CVE-2013-1624) - dev-ruby/bouncy-castle-java: TLS CBC padding timing attack (CVE-2013-1624)
Summary: dev-ruby/bouncy-castle-java: TLS CBC padding timing attack (CVE-2013-1624)
Alias: CVE-2013-1624
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2013-02-05 09:32 UTC by Agostino Sarubbo
Modified: 2016-04-01 03:23 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-05 09:32:01 UTC
From $URL :

A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported.  This vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext 
from a TLS/DTLS connection, when CBC-mode encryption is used.

This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it affects nearly all implementations).  As such, it affects all TLS and DTLS 
implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2.  It also applies to implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures 
to deal with previous padding oracle attacks.  All TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.

The paper indicates that with OpenSSL, a full plaintext recovery attack is possible, and with GnuTLS, a partial plaintext recovery is possible (recovering up to 4 bits of 
the last byte in any block of plaintext).

To perform a successful attack, when TLS is used, a large number of TLS sessions are required (target plaintext must be sent repeatedly in the same position in the 
plaintext stream across the sessions).  For DTLS, a successful attack can be carried out in a single session.  The attacker must also be located close to the machine being 

Further details are noted in the paper.

Current status of fixes in various implementations:

* OpenSSL has a patch in development
* NSS has a patch in development
* GnuTLS is fixed in versions 2.12.23, 3.0.28, and 3.1.7
* PolarSSL is fixed in version 1.2.5
* BouncyCastle has a patch that will be included in the forthcoming 1.48 version

External References:
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 23:39:05 UTC
CVE-2013-1624 (
  The TLS implementation in the Bouncy Castle Java library before 1.48 and C#
  library before 1.8 does not properly consider timing side-channel attacks on
  a noncompliant MAC check operation during the processing of malformed CBC
  padding, which allows remote attackers to conduct distinguishing attacks and
  plaintext-recovery attacks via statistical analysis of timing data for
  crafted packets, a related issue to CVE-2013-0169.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-27 17:16:43 UTC
@maintainers: Please bump version or lastrite the package if it is no longer maintained.
Comment 3 Hans de Graaff gentoo-dev Security 2016-01-06 10:28:43 UTC
This package has been masked since 03 May 2014 as part of a general dev-java/jruby mask.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-03-04 13:30:31 UTC
@maintainers, please bump.  One rdep dev-ruby/jruby-openssl.  dev-ruby/jruby-openssl has no rdeps so both are a candidate for tree cleaning.
Comment 5 James Le Cuirot gentoo-dev 2016-03-04 13:33:14 UTC
dev-ruby/jruby-openssl may as well go at this point or at least get masked as jruby itself is masked and no one has time to work on it right now.
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 00:31:02 UTC
Packages already masked.  Sending last rites to lists.

# Tom Wijsman <> (03 May 2014)
# Needs to be further tested and revised by both Java and Ruby herds.