MySQL 5.5 and 5.6 Vulnerability

Another day, another security vulnerability.

Today Oracle announced security vulnerabilities and associated software patches affecting MySQL 5.5 and 5.6:

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixMSQL

To address these vulnerabilities, your database instances will need to be upgraded to either MySQL 5.5.40 or 5.6.21.

If you’re on a hosted service such as RDS, expect to be upgraded during your next maintenance window. More info can be found on Amazon’s security site.

SSL v3.0 POODLE Vulnerability

A new SSL bug was announced today – CVE-2014-3566 (SSL v3.0 POODLE vulnerability).

This vulnerability affects servers still running SSL 3.0. It centers on cipher block chaining (CBC) encryption implementation and allow attackers with a Man-in-the-Middle (MITM) position to derive the contents of a secure payload based on responses received from requests sent from a compromised browser to a legitimate server.

One way to remedy this issue is to disable SSL 3.0 support or disable SSL 3.0 CBC-mode ciphers on your servers, but this presents significant compatibility problems with older browsers (specifically WindowsXP users who browse using Internet Explorer 6). Instructions on how to disable it on NGINX can be found here.

The other option (recommended by Google among others) is to make use of TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Unfortunately TLS_FALLBACK_SCSV is currently a draft extension to SSL/TLS and has not yet been accepted into OpenSSL or made it’s way into major browsers other than Chrome.

You can use GeoTrust’s SSL Tool Box to detect if SSL 3.0 is enabled on a web server.

HipChat 3.0

HipChat rolled out a huge update to their Mac client today (other platforms will be following soon) that features a number of great changes including a brand new, lightweight UI and so far, I’m really digging it.

I was a big fan of the previous UI over competitors such as Slack and this update makes using HipChat even better.

Some other changes in this update include emoticon autocomplete, unread message counts and new presence icons. You can read all about it on their blog.