← volver
CVE-2015-3152

CVE-2015-3152

EPSS 7.1%
Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.
Productos afectados
n/a · n/a

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-July/161625.htmlhttp://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/http://packetstormsecurity.com/files/131688/MySQL-SSL-TLS-Downgrade.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1646.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1647.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1665.htmlhttps://access.redhat.com/security/cve/cve-2015-3152https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390https://jira.mariadb.org/browse/MDEV-7937https://www.duosecurity.com/blog/backronym-mysql-vulnerability