CVE-2013-0169 (OpenSSL Lucky Thirteen Attack)

  • Posted February 13, 2013

  • In its transport layer, OpenSSL, (amongst other products) uses the TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2. These protocols are not sufficiently hardened against timing side-channel attacks. This vulnerability, also known as the "Lucky Thirteen" issue, is discussed in detail here: http://www.isg.rhul.ac.uk/tls/. Because PE provides OpenSSL packages for Windows and Solaris, agents running on these platforms are vulnerable to this issue.


    • Hotfixes available for Puppet Enterprise 1.2.6 and 2.7.1