Details
-
Bug
-
Status: On Hold
-
High
-
Resolution: Unresolved
-
None
-
None
-
None
Description
**Reported in Launchpad by David Busby last update 08-12-2015 10:41:20
This morning we received a report from oCERT which is being treated as a public security issue in the MySQL client.
In short it is possible for the MySQL client to silently fall back on a non SSL connection instead of aborting the connection, and as such communication will not be encrypted "in flight", this is known documented behaviour,
This is now being assigned a CVE and an advisory is set for release April 29th, the body of the original notification follows.
—
This issue affects MariaDB, and very likely Percona. as well and is related
to https://mariadb.atlassian.net/browse/MDEV-7937
The issue concerns the impossibility for MySQL/MariaDB users (with any major
stable version) to enforce an SSL connection without possibility for a MITM
attach to perform a malicious downgrade.
The issue affects MySQL versions before 5.7.3. However, these fixes have not
been back-ported to previous major versions (5.5, 5.6, etc.), and MySQL 5.7
is not yet considered a stable release. Situation should be similar with
MariaDB.
Therefore the vast majority of MySQL/MariaDB users:
a) have no ability to enforce SSL use, except by patching code or
performing a major-version upgrade to a development release, and
b) are probably not aware of this limitation
The following links clearly illustrate the issue:
https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/
http://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-3.html
While technically this is documented behaviour, it represents a pretty bad
one and the feeling is that most users actually have no awareness of this.
—