CVE-2022-21278 The MySQL Server product of Oracle MySQL is vulnerable to a vulnerability that affects versions 8.0.26 and prior.

Vulnerable versions are server versions 8.0.26 and prior. Note: 8.0.32 and 8.0.33 are also vulnerable, but are not listed as they are end of life. Note: This issue exists because of a change in MySQL Server code which has been backported to 8.0.26 and 8.0.27. Due to the backward incompatibility of this backport, 8.0.27 and 8.0.28 are also vulnerable. Mitigation for this issue includes using one of the following workarounds: Using the --skip-innodb_flush_indexes option to drop invalid data from the database tables to avoid the database index being invalidated.

option to drop invalid data from the database tables to avoid the database index being invalidated. Using the --enable-debug option to enable debug logging of the problematic insertions that cause the DOS.

Who is affected?

This vulnerability is affecting all versions of MySQL Server through 8.0.26 and 8.0.27, and 8.0.28 in some instances.

Version 8.0.26 and 8.0.27 are vulnerable

Versions 8.0.26 and 8.0.27 are vulnerable to MySQL Denial of Service (DOS) attack, CVE-2022-21278. This issue exists because of a change in MySQL Server code which has been backported to 8.0.26 and 8.0.27; however, due to the backward incompatibility of this backport, 8.0.27 and 8.0.28 are also vulnerable to this DOS attack as well as being subject to it themselves if they have been upgraded from earlier versions of MySQL Server without applying the fix that was backported to them from a later version of MySQL Server, such as MySQL 5.7 or 5.8 releases through the current stable release at time of writing, MySQL 9.6 WL#539151 (released Dec 2018).
Mitigation for this issue includes using one of the following workarounds: Using the --skip-innodb_flush_indexes option to drop invalid data from the database tables to avoid the database index being invalidated
option to drop invalid data from the database tables to avoid the database index being invalidated Using the --enable-debug option to enable debug logging of problematic insertions that cause the DOS

MySQL 5.6 .35

This release fixes several vulnerabilities and it is strongly recommended that you upgrade as soon as possible. The following vulnerabilities have been fixed: CVE-2018-2562:  InnoDB: DML does not properly invalidate a foreign key constraint on a mysql.user table when the referenced user's record is updated in the mysql.db table

What is MySQL DB Encryption?

MySQL DB Encryption is a new feature that protects your data in the MySQL database. It's easy to use, and there's nothing you need to do with your existing app or website.
With MySQL DB Encryption, you can encrypt your data at rest with a 256-bit key, so only those who have the key can see it. You choose how long you want to keep the keys: either 24 hours, or one week, depending on what makes sense for your application. If you lose your key after 24 hours, the data will be inaccessible and gone forever; however, if you lose it after one week, then only those who know the password will be able to decrypt it.

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 01/24/2022 17:20:00 UTC

References

• https://www.oracle.com/security-alerts/cpujan2022.html
• https://security.netapp.com/advisory/ntap-20220121-0008/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21278