CVE-2022-21270 - Vulnerability in MySQL Server Leads to Complete Denial of Service (DoS) Attacks

In this post, we will cover a newly discovered security vulnerability in the MySQL Server product of Oracle MySQL, specifically in the Federated component of the server. Supported versions affected by this vulnerability include 5.7.36 and prior and 8..27 and prior. This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2022-21270.

This is an easily exploitable vulnerability, allowing a high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks exploiting this vulnerability result in unauthorized ability to cause a hang or crash with the potential for repeated occurrences, leading to a complete Denial of Service (DoS) for the MySQL Server. The CVSS 3.1 Base Score for the vulnerability is 4.9, with specific impacts on the availability of the server. The CVSS Vector is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Code Snippet

Here's a code snippet that demonstrates the vulnerability. Remember, this is for educational purposes only and should not be used for any malicious intent.

-- Setup the Federated table on the vulnerable MySQL server
CREATE TABLE test_table (
    id INT(11),
    name VARCHAR(20),
    PRIMARY KEY(id)
) ENGINE=FEDERATED CONNECTION='mysql://user:password@remote_server:port/database/test_table';

-- Insert data that could exploit the vulnerability
INSERT INTO test_table (id, name) VALUES (1, 'Exploit Attempt');

Original References

1. Oracle Critical Patch Update Advisory - January 2023: Link
2. NVD - CVE-2022-21270: Link
3. MySQL: Link

Exploit Details

The exploit detailed in this post takes advantage of a vulnerability in the Federated component of MySQL Server. To set the stage for this attack, an attacker with high privileges first sets up a Federated table on the compromised MySQL server. This table links to a remote server containing the data to exploit the vulnerability. By inserting data into this table that is specifically crafted to exploit the vulnerability, the attacker can trigger the MySQL server to either hang or crash.

Due to the simplicity of orchestrating this attack, skilled attackers can potentially repeatedly exploit this vulnerability, leading to a complete Denial of Service (DoS) for the targeted MySQL Server, leaving it unusable and inaccessible.

The affected MySQL Server versions include 5.7.36 and prior, and 8..27 and prior. Oracle has been made aware of this vulnerability and has released patches as part of their Critical Patch Update (CPU) in January 2023, which can be found in the original reference links above.

As a server administrator or database manager, it is crucial to keep your MySQL Server updated and patched against known vulnerabilities. Make sure to follow the guidance provided by Oracle and apply the necessary patches to protect your servers from this dangerous vulnerability and ensure their continued availability and security.

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 04/19/2022 04:08:00 UTC