F5 Networks BIG-IP : MySQL vulnerability (K16845) (BACKRONYM)
Medium Nessus Plugin ID 111708
SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionAn unspecified vulnerability in the MySQL Client component in Oracle MySQL 5.7.2 and earlier allows an attacker to downgrade MySQL SSL/TLS connections, snoop database queries and results, or directly manipulate database contents. (CVE-2015-3152)
Although the BIG-IP system includes the vulnerable components, in a standard configuration, the vulnerability is not exposed. The MySQL Client could be used to initiate connections from the BIG-IP CLI, to a remote database, using SSL/TLS. The built-in BIG-IP MySQL monitor does not support SSL/TLS. However, a custom External Application Verification (EAV) monitor could be written to use MySQL with SSL/TLS.
In a standard/default configuration, the BIG-IP system is not vulnerable.
Note : Enterprise Manager does not support the configuration of EAV monitors.
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K16845.