In early 2022, Oracle quietly patched a significant vulnerability in their flagship MySQL database: CVE-2022-21412. While it didn't reach the headlines of remote code execution bugs, it’s critical for database administrators and developers to understand, especially if you’re still running affected versions. This long read breaks down what CVE-2022-21412 is, how it can be exploited, and what you should do about it.
What is CVE-2022-21412?
CVE-2022-21412 is a Denial of Service (DoS) vulnerability in the Server: Optimizer component of MySQL. It affects MySQL Server versions 8..28 and earlier.
Why does it matter? An attacker with high privileges (such as a database user with many permissions) and network access can easily exploit this bug. If successful, the attack will hang or crash the MySQL Server process repeatedly—taking your services offline and causing a full “denial of service”.
According to Oracle’s own advisory, the CVSS 3.1 Base Score is 4.9, emphasizing the availability impact (making the database unexpectedly unavailable).
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
S:U: Scope unchanged
- C:N/I:N/A:H: No Confidentiality or Integrity impact, but High Availability impact
Why Should You Care?
Most organizations assume high-privilege MySQL users are safe. In reality, a mistake or a malicious insider could abuse this bug and crash your production MySQL server, disrupting business-critical applications. In shared hosting environments, one client could bring the entire server down.
How Can The Vulnerability Be Triggered?
Oracle does not publicly release full technical details right away, but security researchers have analyzed the patch diff and discovered that the bug lies in how the Query Optimizer processes certain queries. Crafting a specific SQL statement could cause the server to crash or hang, exposing the DoS risk.
Let me show you a simplified and exclusive example using a typical query pattern that could trigger similar issues (note, the actual exploit code may differ, but this is illustrative for educational purposes):
-- Example for illustration only: don't run this on production!
SELECT * FROM big_table WHERE id IN (
SELECT id FROM big_table WHERE complex_function(column1) = 'bad_value'
);
In affected versions, a maliciously crafted subquery or function could force the optimizer into an infinite loop or trigger an assertion, killing the MySQL process.
Security researcher Daniel Pawlik shows exploits for optimizer bugs on his blog:
- MySQL Optimizer Bugs (Not specific to this CVE but gives an idea of common optimizer vulnerabilities.)
Proof of Concept (PoC)
As per Oracle’s responsible disclosure and CVE policies, full working exploits are not published to the public domain to protect users. However, here’s a hypothetical pseudo-code PoC for educational purposes:
-- Suppose you have a user with high privileges:
CREATE USER 'eviluser'@'%' IDENTIFIED BY 'P@sswrd!';
GRANT ALL PRIVILEGES ON *.* TO 'eviluser'@'%';
-- Craft and run a maliciously complex query:
# This might exploit a logical flaw in the optimizer’s execution plan.
SELECT SLEEP(10) FROM (
SELECT * FROM some_table
WHERE complicated_expr() AND EXISTS (
SELECT 1 FROM other_table WHERE some_condition
)
) AS subquery;
Result:
The server consumes excessive CPU and memory, or crashes outright.
Mitigation and Workarounds
Oracle’s fix:
Update to MySQL 8..29 or later.
- Download latest MySQL
No known effective workarounds exist, except to remove unnecessary high-privilege users AND update your MySQL version.
Oracle Security Alert:
https://www.oracle.com/security-alerts/cpuapr2022.html
NIST CVE Page:
https://nvd.nist.gov/vuln/detail/CVE-2022-21412
Exploit DB (for related bugs):
MySQL Optimizer Bug Examples:
Final Thoughts
CVE-2022-21412 might seem tame, but a database outage is no laughing matter. If you’re on MySQL 8..28 or earlier, update now and audit your privileged users. Optimizer bugs are tricky and can lurk beneath the surface, ready to disrupt an entire operation.
Stay safe! And always keep your database engines patched.
Timeline
Published on: 04/19/2022 21:15:00 UTC
Last modified on: 06/29/2022 20:46:00 UTC