A new vulnerability (CVE-2022-21454) has been discovered in the MySQL Server product of Oracle MySQL. The vulnerability is present in the Server: Group Replication Plugin component. This critical issue affects MySQL Server versions 5.7.37 and prior, as well as 8..28 and prior. The flaw allows low privileged attackers with network access via multiple protocols to compromise the MySQL Server potentially. Successful exploitation can lead to unauthorized ability to cause a hang, or frequently repeatable crash (complete DOS), of the MySQL Server. This post will dive deeper into the vulnerability, what it means, and how it can be exploited.

1. Oracle Critical Patch Update Advisory - January 2022
2. MySQL Server 5.7.37 Release Notes
3. MySQL Server 8..28 Release Notes

Exploit Details

The underlying cause of this vulnerability lies in the way the Group Replication Plugin handles specific network requests. As a result, attackers can exploit this flaw by sending crafted packets to the vulnerable plugin, ultimately causing the MySQL Server to crash or hang.

Here is a code snippet highlighting the issue

/* Vulnerable MySQL Server: Group Replication Plugin */

void process_packet(packet_t *pkt) {
  //... (other packet handling code)
  
  // CVE-2022-21454 Vulnerability!
  if (is_malformed(pkt)) {
    //... (crashing/hanging behavior caused by malformed packet)
  }
  
  //... (more packet handling code)
}

For an attacker to exploit this vulnerability, they simply need to have network access and knowledge of how to craft the malicious packet. As illustrated in the CVSS Vector, this vulnerability has a CVSS 3.1 Base Score of 6.5 with a focus on Availability impacts:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Mitigation

To protect your MySQL Server instance from this vulnerability, it is recommended to upgrade to the appropriate patched version listed in the release notes. Additionally, ensure you follow best practices for securing your MySQL Server instances, like using strong passwords, limiting network exposure, and implementing proper access control measures.

Conclusion

CVE-2022-21454 is a critical vulnerability that can have severe availability impacts on MySQL Server instances. If left unpatched, it could be exploited to cause a complete denial of service. It is highly recommended that affected users update their installations immediately and follow security best practices to avoid potential exploitation.

Stay safe and keep your MySQL Server instances updated!

Timeline

Published on: 04/19/2022 21:15:00 UTC
Last modified on: 05/10/2022 17:46:00 UTC