SynopsisThe remote database server uses a version of OpenSSL known to be affected by multiple vulnerabilities.
DescriptionThe version of MySQL Enterprise Server 5.6 installed on the remote host is 5.6.x prior to 5.6.29 or 5.7.x prior to 5.7.11. It is, therefore, affected by multiple vulnerabilities in the included OpenSSL library :
- A NULL pointer dereference flaw exists in file rsa_ameth.c due to improper handling of ASN.1 signatures that are missing the PSS parameter. A remote attacker can exploit this to cause the signature verification routine to crash, resulting in a denial of service condition. (CVE-2015-3194)
- A flaw exists in the ASN1_TFLG_COMBINE implementation in file tasn_dec.c related to handling malformed X509_ATTRIBUTE structures. A remote attacker can exploit this to cause a memory leak by triggering a decoding failure in a PKCS#7 or CMS application, resulting in a denial of service. (CVE-2015-3195)
SolutionUpgrade to MySQL Enterprise Server version 5.6.29 / 5.7.11 or later.