Perl devs solve ancient Riddle: 'What's a vuln we caught from Oracle?'

BACKRONYM also fixed, so pull the patch

The Perl 5 database interface maintainers have issued an important patch for DBD—MySQL: in some configurations it wasn't enforcing encryption.

As CVE-2017-10789 explains: “The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a 'your communication with the server will be encrypted' statement), which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152”.

As the developers note at GitHub, the error leaves systems vulnerable to BACKRONYM and Riddle attacks.

BACKRONYM was introduced to the world in 2015, when Oracle issued an incomplete MySQL patch that turned SSL off by default. Bugs in that patch led to Riddle, a possible man-in-the-middle with SSL downgrade that leaked user credentials.

The pull request fixes the issue: a connection to the MySQL server is rejected if the client can't enforce SSL encryption.

The issue was reported by Pali Rohár. ®

Biting the hand that feeds IT © 1998–2021