Lucky 13 (CVE-2013-0169) Vulnerability Recommendations
search cancel

Lucky 13 (CVE-2013-0169) Vulnerability Recommendations

book

Article ID: 393484

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)
============================================================
All versions of OpenSSL are affected including 1.0.1c, 1.0.0j and 0.9.8x

Environment

vSphere ESXi 7.x

vSphere ESXi 8.x

 

Resolution

Affected users should upgrade to OpenSSL so please use 1.0.1e or later 91.0.1e, 1.0.0k or 0.9.8y). Refer https://openssl-library.org/news/secadv/20130205.txt  

With regards to ESXi host, we use OpenSSL version 1.0.2 for hosts running above 7.0 U3o and later versions 

Please refer to document which mentions that the OpenSSL package is updated to version 1.0.2 VMware ESXi 7.0 Update 3o Release Notes

You may also refer VMware vSphere 7 Default SSL/TLS Cipher Suites

So, any host running below the version 7.0 U30 should be upgraded/updated to address this vulnerability and for any host running on and above this version,  you can safely ignore the scan results and applied for whitelisting.

 

Additional Information

There are a few things to consider. Sometimes, vulnerability scanners may flag vulnerabilities that have already been addressed, especially if the scanner is using outdated vulnerability definitions or configuration settings. We recommend reviewing the configuration of these tools to ensure they're set up correctly, particularly with respect to OpenSSL versions and TLS configurations. Also, please verify that the plugin definitions or scan parameters are fully up to date to ensure the scan is being performed against the most accurate vulnerability database.

If ESXi is running on or above 7.0.3o, Broadcom is no longer responsible for addressing this issue. It would be beneficial to work with respective support teams as to understand why this vulnerability is still being reported, especially if the scanner is incorrectly flagging a fixed issue.