K53729441 : MySQL vulnerability CVE-2016-2047

Security Advisory Description

The ssl_verify_server_cert function in sql-common/client.c in MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10; Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier; and Percona Server do not properly verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a “/CN=” string in a field in a certificate, as demonstrated by “/OU=/CN=bar.com/CN=foo.com.” (CVE-2016-2047)
Impact
In a standard, recommended configuration, the BIG-IP system is not vulnerable because the system does not use the affected functionality. MySQL monitors do not support the validation of x509 certificates and are not subject to this vulnerability. However, it is possible that a customer can write a custom Extended Application Verification (EAV) monitor using the MySQL client, which would be vulnerable to this issue. An attack against this vulnerability is considered a low risk, low value target with high complexity to exploit. The scenario where this attack would be possible requires an attacker with a network man-in-the-middle position, which increases the complexity of the attack. For a monitor, this position would typically be somewhere between the BIG-IP egress point and a backend server.