CVE-2016-2047

Name of the Vulnerable Software and Affected Versions MariaDB versions prior to 5.5.47 MariaDB versions 10.0.x prior to 10.0.23 MariaDB versions 10.1.x prior to 10.1.10 Oracle MySQL versions 5.5.48 and earlier Oracle MySQL versions 5.6.29 and earlier Oracle MySQL versions 5.7.11 and earlier Percona Server (affected versions not specified)

Description The issue arises from improper verification of the server hostname against the domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows man-in-the-middle attackers to spoof SSL servers via a specific string in a certificate field. The vulnerability can be exploited by a high-privileged attacker with network access to compromise the MySQL Server, potentially leading to a denial-of-service (DOS) condition where the server hangs or crashes repeatedly.

Recommendations For MariaDB versions prior to 5.5.47, update to version 5.5.47 or later. For MariaDB versions 10.0.x prior to 10.0.23, update to version 10.0.23 or later. For MariaDB versions 10.1.x prior to 10.1.10, update to version 10.1.10 or later. For Oracle MySQL versions 5.5.48 and earlier, update to a version later than 5.5.48. For Oracle MySQL versions 5.6.29 and earlier, update to a version later than 5.6.29. For Oracle MySQL versions 5.7.11 and earlier, update to a version later than 5.7.11. For Percona Server, at the moment, there is no information about a newer version that contains a fix for this vulnerability.