Buy Percona ServicesBuy Now!

How to Mitigate DROWN CVE-2016-0800

 | March 4, 2016 |  Posted In: MySQL


Mitigate DROWN CVE-2016-0800This blog post will discuss how to Mitigate DROWN CVE-2016-0800.

Unless you’ve been living in a cave you’ll have heard (or likely to hear about soon) the drown attack. From the Red Hat site:

“A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.

Find out more about CVE-2016-0800 from the MITRE CVE dictionary dictionary and NIST NVD.”

The following graphic should help explain the vulnerability:

Mitigate DROWN CVE-2016-0800

In short, disable SSLv2 if you do not need it  (similar to the way SSLv3 was disabled due to POODLE).

So how about those services?

  • MySQL uses TLS1.0 for versions < 5.7.10
  • MySQL uses a configuration TLS version when using >= 5.7.10
  • MongoDB uses a configuration variable for the TLS for version when using >= 3.0.7

Please respond in the comments with any questions!

David Busby

David is an Information Security Architect, and CISSP qualified. He has worked with Percona since 2013 and has over 17 years' experience in DevOps, databases and security. David is a Ju-Jitsu instructor, assistant scout leader and also volunteers at a local secondary school to teach kids computing.

One Comment

Comments are closed