How to Mitigate the OpenSSL DROWN Attack (CVE-2016-0800)
How to Mitigate the OpenSSL DROWN Attack (CVE-2016-0800)
Unless you’ve been living in a cave you’ll have heard of (or likely will hear about soon) the drown attack. This blog post will discuss how to Mitigate DROWN CVE-2016-0800.
Join the DZone community and get the full member experience.
Join For FreeNew whitepaper: Database DevOps – 6 Tips for Achieving Continuous Delivery. Discover 6 tips for continuous delivery with Database DevOps in this new whitepaper from Redgate. In 9 pages, it covers version control for databases and configurations, branching and testing, automation, using NuGet packages, and advice for how to start a pioneering Database DevOps project. Also includes further research on the industry-wide state of Database DevOps, how application and database development compare, plus practical steps for bringing DevOps to your database. Read it now free.
This blog post will discuss how to Mitigate DROWN CVE-2016-0800.
Unless you’ve been living in a cave you’ll have heard of (or likely will hear about soon) the drown attack. From the Red Hat site:
"A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.
Find out more about CVE-2016-0800 from the MITRE CVE dictionary and NIST NVD.”
The following graphic should help explain the vulnerability:
In short, disable SSLv2 if you do not need it (similar to the way SSLv3 was disabled due to POODLE).
So, how about those services?
- MySQL uses TLS1.0 for versions < 5.7.10
- MySQL uses a configuration TLS version when using >= 5.7.10
- MongoDB uses a configuration variable for the TLS for version when using >= 3.0.7
Please respond in the comments with any questions!
New whitepaper: Database DevOps – 6 Tips for Achieving Continuous Delivery. Discover 6 tips for continuous delivery with Database DevOps in this new whitepaper from Redgate. In 9 pages, it covers version control for databases and configurations, branching and testing, automation, using NuGet packages, and advice for how to start a pioneering Database DevOps project. Also includes further research on the industry-wide state of Database DevOps, how application and database development compare, plus practical steps for bringing DevOps to your database. Read it now free.
Like This Article? Read More From DZone
Published at DZone with permission of David Busby , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
{{ parent.title || parent.header.title}}
{{ parent.tldr }}
{{ parent.linkDescription }}
{{ parent.urlSource.name }}