How to Mitigate the OpenSSL DROWN Attack (CVE-2016-0800)
Unless you’ve been living in a cave you’ll have heard of (or likely will hear about soon) the drown attack. This blog post will discuss how to Mitigate DROWN CVE-2016-0800.
Join the DZone community and get the full member experience.
Join For Free
This blog post will discuss how to Mitigate DROWN CVE-2016-0800.
Unless you’ve been living in a cave you’ll have heard of (or likely will hear about soon) the drown attack. From the Red Hat site:
"A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.
Find out more about CVE-2016-0800 from the MITRE CVE dictionary and NIST NVD.”
The following graphic should help explain the vulnerability:
In short, disable SSLv2 if you do not need it (similar to the way SSLv3 was disabled due to POODLE).
So, how about those services?
- MySQL uses TLS1.0 for versions < 5.7.10
- MySQL uses a configuration TLS version when using >= 5.7.10
- MongoDB uses a configuration variable for the TLS for version when using >= 3.0.7
Please respond in the comments with any questions!
Topics:
ssl,
tls,
vulnerability
Published at DZone with permission of David Busby, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments