2015-04-23 10:00:19 |
David Busby |
description |
This morning we received a report from oCERT which is being treated as a public security issue in the MySQL client.
In short it is possible for the MySQL client to silently fall back on a non SSL connection instead of aborting the connection, and as such communication will not be encrypted "in flight", this is known documented behaviour,
This is now being assigned a CVE and an advisory is set for release April 29th, the body of the original notification follows.
---
oCERT recently received a report from Adam Goodman, Principal Security
Architect at Duo Security, concerning a security issue on MySQL client code.
This issue affects MariaDB, and very likely Percona. as well and is related
to https://mariadb.atlassian.net/browse/MDEV-7937
The issue concerns the impossibility for MySQL/MariaDB users (with any major
stable version) to enforce an SSL connection without possibility for a MITM
attach to perform a malicious downgrade.
The issue affects MySQL versions before 5.7.3. However, these fixes have not
been back-ported to previous major versions (5.5, 5.6, etc.), and MySQL 5.7
is not yet considered a stable release. Situation should be similar with
MariaDB.
Therefore the vast majority of MySQL/MariaDB users:
a) have no ability to enforce SSL use, except by patching code or
performing a major-version upgrade to a development release, and
b) are probably not aware of this limitation
The following links clearly illustrate the issue:
https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html
While technically this is documented behaviour, it represents a pretty bad
one and the feeling is that most users actually have no awareness of this.
Therefore the consensus is to treat this as a vulnerability, a CVE is
currently being assigned, distributions have been pre-notified and we are
going to release an advisory on April 29th at 15:00 CET.
We are also reaching MySQL and MariaDB following the original report from Duo
Security and we are in the process of contacting other MySQL forks.
--- |
This morning we received a report from oCERT which is being treated as a public security issue in the MySQL client.
In short it is possible for the MySQL client to silently fall back on a non SSL connection instead of aborting the connection, and as such communication will not be encrypted "in flight", this is known documented behaviour,
This is now being assigned a CVE and an advisory is set for release April 29th, the body of the original notification follows.
---
This issue affects MariaDB, and very likely Percona. as well and is related
to https://mariadb.atlassian.net/browse/MDEV-7937
The issue concerns the impossibility for MySQL/MariaDB users (with any major
stable version) to enforce an SSL connection without possibility for a MITM
attach to perform a malicious downgrade.
The issue affects MySQL versions before 5.7.3. However, these fixes have not
been back-ported to previous major versions (5.5, 5.6, etc.), and MySQL 5.7
is not yet considered a stable release. Situation should be similar with
MariaDB.
Therefore the vast majority of MySQL/MariaDB users:
a) have no ability to enforce SSL use, except by patching code or
performing a major-version upgrade to a development release, and
b) are probably not aware of this limitation
The following links clearly illustrate the issue:
https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html
While technically this is documented behaviour, it represents a pretty bad
one and the feeling is that most users actually have no awareness of this.
--- |
|