CVE-2022-21440: Critical Vulnerability in MySQL Server (8..28 and prior) Potentially Leads to Denial of Service and Unauthorized Data Manipulation

A new vulnerability (CVE-2022-21440) has been discovered in the MySQL Server product of Oracle MySQL, specifically in the Server: Optimizer component. This vulnerability affects supported versions 8..28 and prior and can lead to a complete denial of service (DOS) or unauthorized data manipulation if successfully exploited by high privileged attackers. The CVSS 3.1 Base Score for this vulnerability is 5.5, with Integrity and Availability impacts. The CVSS Vector is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).

Exploit Details

The CVE-2022-21440 vulnerability allows high privileged attackers with network access via multiple protocols to compromise the MySQL Server. By exploiting this vulnerability, an attacker can gain unauthorized update, insert, or delete access to some of the data accessible by the MySQL Server. Additionally, successful attacks can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of the MySQL Server.

The vulnerability's impact on the Server: Optimizer component shows that it is related to how MySQL manages query optimizations. The vulnerability gets triggered when specific query patterns are executed, leading to unintended behavior and potentially resulting in denial of service or unauthorized access to protected data.

Code Snippet Example

Though the exact code to exploit this vulnerability is not publicly disclosed, an example of a potentially malicious query pattern might look like this:

SELECT * FROM vulnerable_table WHERE
( SELECT column_a, column_b FROM another_table
UNION SELECT column_c, column_d FROM yet_another_table )
ORDER BY some_common_column;

This example illustrates a query that could trigger unintended behavior in the Server: Optimizer component due to the UNION operation, leading to a crash or unauthorized data manipulation.

Links to Original References

- Oracle Critical Patch Update Advisory - January 2022
- CVE-2022-21440 Detail - NIST National Vulnerability Database (NVD)
- MySQL Security Notes - Oracle

Mitigation

MySQL Server administrators should update their server instances to the latest version (8..29 or newer) to address this vulnerability. Oracle has released a patch to address the issue in the Critical Patch Update advisory for January 2022.

It is also essential for administrators to closely monitor and restrict incoming queries in their networks to prevent potentially malicious query patterns from exploiting the vulnerability.

Conclusion

CVE-2022-21440 is a critical vulnerability in MySQL Server (versions 8..28 and prior) that could result in Denial of Service and unauthorized data manipulation. Administrators must take immediate action to update their server instances and implement proper network configurations to mitigate the risks associated with this vulnerability.

Timeline

Published on: 04/19/2022 21:15:00 UTC
Last modified on: 06/29/2022 20:49:00 UTC