Information on the SSL connection vulnerability of MySQL and MariaDB
Last week, a SSL connection security vulnerability was reported for MySQL and MariaDB. The vulnerability states that since MariaDB and MySQL do not enforce SSL when SSL support is enabled, it’s possible to launch Man In The Middle attacks (MITM). MITM attacks can capture the secure connection and turn it into an insecure one, revealing data going back and forth to the server.
Issue resolution in MariaDB is visible through the corresponding ticket in MariaDB’s tracking system (JIRA): https://mariadb.atlassian.net/browse/MDEV-7937
The vulnerability affects the client library of the database server in both MariaDB and MySQL. But, the vulnerability does not affect all the libraries, drivers or connectors for establishing SSL connections with the server.
The vulnerability exists when the connection to the server is done through the client library libmysqlclient. This client library is provided with the database server and is a fork of the corresponding client library in MySQL. The client library is used by probably the most used tool, the MySQL Command-Line tool of which a forked version is shipped with MariaDB.
In addition to libmysqlclient, the MariaDB project provides the following connectors:
- MariaDB Connector/C, https://mariadb.com/kb/en/mariadb/mariadb-connector-c/
- MariaDB Connector/J (Java Client), https://mariadb.com/kb/en/mariadb/about-the-mariadb-java-client/
- MariaDB Connector/ODBC, https://mariadb.com/kb/en/mariadb/mariadb-connector-odbc/
A related problem is that the server will start with just a warning in the logs if it can’t load the certificate or key file, and SSL will be disabled. Apache, Sendmail, Dovecot, etc., if configured for SSL, will fail to load if they cannot. MariaDB’s behavior may cause a developer to believe his system is running with SSL when it’s not, unless he manually checks to confirm the status of the connection each time.