How to Mitigate the OpenSSL DROWN Attack (CVE-2016-0800)
Unless you’ve been living in a cave you’ll have heard of (or likely will hear about soon) the drown attack. This blog post will discuss how to Mitigate DROWN CVE-2016-0800.
Join the DZone community and get the full member experience.
Join For FreeThis blog post will discuss how to Mitigate DROWN CVE-2016-0800.
Unless you’ve been living in a cave you’ll have heard of (or likely will hear about soon) the drown attack. From the Red Hat site:
"A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.
Find out more about CVE-2016-0800 from the MITRE CVE dictionary and NIST NVD.”
The following graphic should help explain the vulnerability:
In short, disable SSLv2 if you do not need it (similar to the way SSLv3 was disabled due to POODLE).
So, how about those services?
- MySQL uses TLS1.0 for versions < 5.7.10
- MySQL uses a configuration TLS version when using >= 5.7.10
- MongoDB uses a configuration variable for the TLS for version when using >= 3.0.7
Please respond in the comments with any questions!
Published at DZone with permission of David Busby, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments