QwikSec

Security Database

CVE

CWE

Training

CVE-2015-3152

Published: May 16, 2016

Modified: Aug 6, 2024

PUBLISHED

Description

Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

http://packetstormsecurity.com/files/131688/MySQL-SSL-TLS-Downgrade.html

x_refsource_MISC

http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/

x_refsource_CONFIRM

vdb-entry

x_refsource_BID

https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390

x_refsource_CONFIRM

https://access.redhat.com/security/cve/cve-2015-3152

x_refsource_CONFIRM

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_DEBIAN

http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/

x_refsource_MISC

vendor-advisory

x_refsource_REDHAT

vdb-entry

x_refsource_SECTRACK

https://www.duosecurity.com/blog/backronym-mysql-vulnerability

x_refsource_MISC

https://jira.mariadb.org/browse/MDEV-7937

x_refsource_CONFIRM

http://www.ocert.org/advisories/ocert-2015-003.html

x_refsource_MISC

FEDORA-2015-10831

vendor-advisory

x_refsource_FEDORA

20150429 [oCERT-2015-003] MySQL SSL/TLS downgrade

mailing-list

x_refsource_BUGTRAQ

FEDORA-2015-10849

vendor-advisory

x_refsource_FEDORA

vendor-advisory

x_refsource_REDHAT

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.