Improper Access Control Affecting php56-mssql package, versions <0:5.6.12-1.116.amzn1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-AMZN201803-PHP56MSSQL-1689681
- published 27 Sep 2021
- disclosed 16 May 2016
Introduced: 16 May 2016
CVE-2015-3152 Open this link in a new tabHow to fix?
Upgrade Amazon-Linux:2018.03 php56-mssql to version 0:5.6.12-1.116.amzn1 or higher.
This issue was patched in ALAS-2015-585.
NVD Description
Note: Versions mentioned in the description apply only to the upstream php56-mssql package and not the php56-mssql package as distributed by Amazon-Linux.
See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.
Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, aka a "BACKRONYM" attack.
References
- http://www.securityfocus.com/bid/74398
- http://www.securityfocus.com/archive/1/535397/100/1100/threaded
- http://mysqlblog.fivefarmers.com/2015/04/29/ssltls-in-5-6-and-5-5-ocert-advisory/
- https://access.redhat.com/security/cve/cve-2015-3152
- https://github.com/mysql/mysql-server/commit/3bd5589e1a5a93f9c224badf983cd65c45215390
- https://jira.mariadb.org/browse/MDEV-7937
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3152
- http://www.debian.org/security/2015/dsa-3311
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161436.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161625.html
- http://mysqlblog.fivefarmers.com/2014/04/02/redefining-ssl-option/
- http://packetstormsecurity.com/files/131688/MySQL-SSL-TLS-Downgrade.html
- https://www.duosecurity.com/blog/backronym-mysql-vulnerability
- http://www.ocert.org/advisories/ocert-2015-003.html
- http://rhn.redhat.com/errata/RHSA-2015-1646.html
- http://rhn.redhat.com/errata/RHSA-2015-1647.html
- http://rhn.redhat.com/errata/RHSA-2015-1665.html
- http://www.securitytracker.com/id/1032216