Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612922 (CVE-2017-3305) - dev-db/mysql: incorrect enforcement of ssl-mode=REQUIRED in MySQL 5.5 and 5.6
Summary: dev-db/mysql: incorrect enforcement of ssl-mode=REQUIRED in MySQL 5.5 and 5.6
Alias: CVE-2017-3305
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [ebuild/upstream cve]
Depends on:
Blocks: CVE-2017-3633, CVE-2017-3634, CVE-2017-3637, CVE-2017-3647, CVE-2017-3649
  Show dependency tree
Reported: 2017-03-17 14:53 UTC by Agostino Sarubbo
Modified: 2021-01-25 15:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-03-17 14:53:08 UTC
From ${URL} :

There is a new vulnerability in MySQL client versions 5.5 and 5.6 which 
is related to SSL/TLS encryption and to older BACKRONYM vulnerability.

As it is common, new vulnerability should have a name, logo and website. 
So enjoy the *Riddle* at

Affected are only Oracle's MySQL clients in all versions 5.5 and 5.6 
when SSL/TLS encryption is used. Verification of encryption parameters 
and existence of SSL/TLS layer by MySQL client is done *after* client 
successfully finish authentication.

For more details including mitigation, look at Technical section on 
vulnerability website:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-17 22:43:15 UTC
Oracle implemented enforcement of ssl-mode=REQUIRED in response to CVE-2015-3152 which is bug 548132. However, the backport for 5.5.49 and 5.6.30 release is flawed:

It was found that MySQL client when specified to use SSL/TLS mode is authenticating to MySQL server not supporting SSL/TLS, client will fallback to plain text protocol used for authentication. After successful authentication client checks if SSL/TLS layer is required and if server doesn't support it, client will close the connection with error.

Active MITM attacker can downgrade SSL/TLS to plain text and forward nonce from server back to client. MITM attacker receive login data (for server nonce) from client and send it to server to authenticate as client.

This issue is present in in 5.5 and 5.6 versions.

External References:
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2017-08-15 04:40:08 UTC
Maintainers please confirm that this is fixed in Bug # 625626
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2017-09-04 01:28:10 UTC
Lets try this again: 
Maintainers please confirm that this is fixed in Bug # 625626
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 05:05:58 UTC
Ping, please confirm if we are still vulnerable.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2021-01-25 15:32:28 UTC
There is at least nothing left to do for us:

By default, Mysql still defaults to plaintext and downgrade to plaintext is still possible.
If you want to prevent downgrades you must set desired --ssl-mode.

Application linked against libmysql must do the same via API which is available in >5.7.