SSL Connection Vulnerability of MySQL and MariaDB: Find out more
rasmusjohansson

As some of you may know, CVE-2014-0160 (“Heartbleed”) announced a vulnerability in certain versions of OpenSSL.

After the announcement on Monday 7th April 2014, the team began investigating the level of potential risk to our hosted systems and on-premise software.

Hosted Systems

Since SkySQL.com and MariaDB.com use OpenSSL in its platforms it was deemed necessary to immediately update all platforms with the recommended security patches.

Please be assured that our online systems are no longer at risk from this vulnerability.

We recommend that all users of SkySQL and MariaDB online services update their passwords are their earliest convenience.

On-premise Software

MariaDB binaries including MariaDB Galera Cluster on Linux and other non-Windows platforms are dynamically linked with OpenSSL, which makes MariaDB as vulnerable as the underlying system OpenSSL itself is if SSL support for MariaDB has been enabled (disabled by default). You can easily check if it has been by running the command "show variables like 'have_ssl';".

Windows binaries use yaSSL and are therefore not affected by the vulnerability.

In all cases the platform that MariaDB or MariaDB Galera Cluster is run on should should be checked for OpenSSL and the version of OpenSSL. In case a vulnerable version of OpenSSL is found it should be upgraded to a safe version and it's recommended to change all user passwords.

MaxScale, the intelligent proxy for MySQL and MariaDB also makes use of OpenSSL. OpenSSL is dynamically linked to MaxScale, so also in case you're using MaxScale make sure to upgrade OpenSSL.

MariaDB Manager doesn't make use of OpenSSL.

We are dedicated to resolving security issues promptly, while remaining open and honest with our customers.

Please check back often and if you require assistance please contact support@skysql.com

Thank you.

Tags: 

About the Author

rasmusjohansson's picture

Rasmus has worked with MariaDB since 2010 and was appointed VP Engineering in 2013. As such, he takes overall responsibility for the architecting and development of MariaDB Server, MariaDB Galera Cluster and MariaDB Enterprise.

Newsletter Signup

Subscribe to get MariaDB tips, tricks and news updates in your inbox: