MariaDB itself is NOT affected by the DROWN vulnerability

Recently a serious vulnerability called DROWN was found. The vulnerability exists in systems that support SSLv2. There is flaw in SSLv2 that could be used to decrypt information over newer SSL protocols such as TLS. More information about the DROWN vulnerability with CVE number CVE-2016-0800 can be found here:

Last December Sergei Golubchik wrote a blog post about The State of SSL in MariaDB, which explains what versions of SSL cryptography is used in which MariaDB version and what is inherited from MySQL. In that blog post you’ll see that MariaDB (and MySQL) have never supported SSLv2, which would be used in a DROWN attack. In itself it’s therefore safe to say that MariaDB itself is not vulnerable to DROWN.

DROWN is a MitM (Man-in-the-Middle) attack. In general, to make sure that a client is talking directly to the MariaDB server we recommend using server certificate verification, eg.:

[client]
ssl-verify-server-cert

MariaDB relies on external libraries for cryptography and in the case of the Linux versions of MariaDB, the used library is OpenSSL. Newer versions of OpenSSL have SSLv2 disabled, but older versions don’t. It’s hard to foresee how one could use the DROWN vulnerability on an installed old version of OpenSSL that would be in use by MariaDB, since MariaDB itself, as mentioned above, doesn’t allow SSLv2. In any case we recommend that you make sure that you have an up-to-date version of OpenSSL installed on servers running MariaDB.