Over a million developers have joined DZone.

How to Mitigate the OpenSSL DROWN Attack (CVE-2016-0800)

Unless you’ve been living in a cave you’ll have heard of (or likely will hear about soon) the drown attack. This blog post will discuss how to Mitigate DROWN CVE-2016-0800.

· Database Zone

Sign up for the Couchbase Community Newsletter to stay ahead of the curve on the latest NoSQL news, events, and webinars. Brought to you in partnership with Coucbase.

Mitigate DROWN CVE-2016-0800

This blog post will discuss how to Mitigate DROWN CVE-2016-0800.

Unless you’ve been living in a cave you’ll have heard of (or likely will hear about soon) the drown attack. From the Red Hat site:

"A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.

Find out more about CVE-2016-0800 from the MITRE CVE dictionary and NIST NVD.”

The following graphic should help explain the vulnerability:

Mitigate DROWN CVE-2016-0800

In short, disable SSLv2 if you do not need it (similar to the way SSLv3 was disabled due to POODLE).

So, how about those services?

  • MySQL uses TLS1.0 for versions < 5.7.10
  • MySQL uses a configuration TLS version when using >= 5.7.10
  • MongoDB uses a configuration variable for the TLS for version when using >= 3.0.7

Please respond in the comments with any questions!

The Getting Started with NoSQL Guide will get you hands-on with NoSQL in minutes with no coding needed. Brought to you in partnership with Couchbase.

Topics:
ssl ,tls ,vulnerability

Published at DZone with permission of David Busby, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}