/ Database Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

How to Mitigate the OpenSSL DROWN Attack (CVE-2016-0800)

DZone's Guide to

How to Mitigate the OpenSSL DROWN Attack (CVE-2016-0800)

Unless you’ve been living in a cave you’ll have heard of (or likely will hear about soon) the drown attack. This blog post will discuss how to Mitigate DROWN CVE-2016-0800.

by
·
Mar. 08, 16 · Database Zone ·
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

RavenDB vs MongoDB: Which is Better? This White Paper compares the two leading NoSQL Document Databases on 9 features to find out which is the best solution for your next project.  

Mitigate DROWN CVE-2016-0800

This blog post will discuss how to Mitigate DROWN CVE-2016-0800.

Unless you’ve been living in a cave you’ll have heard of (or likely will hear about soon) the drown attack. From the Red Hat site:

"A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.

Find out more about CVE-2016-0800 from the MITRE CVE dictionary and NIST NVD.”

The following graphic should help explain the vulnerability:

Mitigate DROWN CVE-2016-0800

In short, disable SSLv2 if you do not need it (similar to the way SSLv3 was disabled due to POODLE).

So, how about those services?

  • MySQL uses TLS1.0 for versions < 5.7.10
  • MySQL uses a configuration TLS version when using >= 5.7.10
  • MongoDB uses a configuration variable for the TLS for version when using >= 3.0.7

Please respond in the comments with any questions!

Get comfortable using NoSQL in a free, self-directed learning course provided by RavenDB. Learn to create fully-functional real-world programs on NoSQL Databases. Register today.

Like This Article? Read More From DZone

A Brief History of TLS
Security vs. Time-to-Market: What's More Important?
Using HTTPS to Secure Your Websites: An Intro to Web Security

Free DZone Refcard

Graph-Powered Search: Neo4j & Elasticsearch
DOWNLOAD
Topics:
ssl ,tls ,vulnerability

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

Database Partner Resources

Shift LEFT Issue #3 How DevOps benefits CEOs, CIOs & IT Managers and a look at GDPR
Troubleshooting SQL Server Performance
Tips to deploy and configure a fully secured enterprise database for personal data protection.
Dependance upon proprietary databases has changed. Compare the enterprise features of MariaDB TX, Oracle, Microsoft and IBM.
SQL support, smart cache, and speed of 1 million ACID transactions on a single CPU core with Tarantool
How Your Data Type Choices Can Affect SQL Server Database Performance
Why a NoSQL Database is the Best Solution for a Startup
Report: New Test Results Show How to Optimize Application and Microservice Performance
Don’t let the database be a bottleneck: Solving Database Deployment Problems with Database DevOps
Redis Enterprise delivers high throughput at 83% lower app latency, reducing operational costs over 75%. Learn more
Comparing NoSQL Solutions: Redis Labs Has 8x the Throughput at Half the Latency
Preventing SQL Server Performance Problems Before They Hit Production

Database Partner Resources

Shift LEFT Issue #3 How DevOps benefits CEOs, CIOs & IT Managers and a look at GDPR
Troubleshooting SQL Server Performance
Tips to deploy and configure a fully secured enterprise database for personal data protection.
Dependance upon proprietary databases has changed. Compare the enterprise features of MariaDB TX, Oracle, Microsoft and IBM.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone