In April 2022, Oracle published a security advisory for CVE-2022-21490, a potentially dangerous vulnerability affecting MySQL Cluster—one of the most popular distributed databases around. In this post, we'll break down what CVE-2022-21490 is, how attackers could exploit it, see a code snippet that helps illustrate the threat, cite reference links for further reading, and give you clear guidance—all in simple language.

What Is CVE-2022-21490?

CVE-2022-21490 is a vulnerability found in the Cluster: General component of Oracle MySQL Cluster. This bug is present in these supported versions:

Key Points

- Attack is difficult: The attacker needs to have high privileges and physical or local network access to the segment where the MySQL Cluster is running.
- Needs human help: The exploit requires another user (not the attacker) to interact with the system.
- Takeover possible: Compromise could result in full control of the MySQL Cluster—meaning unauthorized reads, modifications, or destruction of data.

CVSS v3.1 Base Score: 6.3 (Medium severity)

- Vector: AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

S:U: Single system impacted

- C:H/I:H/A:H: Full Confidentiality, Integrity, and Availability impact if exploited

How Could Someone Exploit CVE-2022-21490?

This flaw specifically affects systems where MySQL Cluster servers communicate over a physical segment (like a local switch or VLAN). If an attacker already has high privileges on that segment (for example, as a network engineer or a malicious insider), they could intercept or tamper with traffic between cluster nodes.

The exploit would involve tricking another privileged admin or operator to interact with the system (perhaps to restart a node, or access cluster logs), leveraging a manipulated packet or injected code to achieve execution within the cluster processes.

Attacker gains access to the physical communication segment.

2. Attacker intercepts and modifies traffic going to/from MySQL Cluster nodes.

Victim admin or user interacts with the cluster (maybe restarts a node, or checks logs).

4. Malicious payload executes due to tampered traffic, allowing attacker to escalate privileges or gain complete control.

Example Exploit Concept (Code Snippet)

The vulnerability centers around network-level tampering. Here's a simplified Python code snippet that shows how a privileged attacker might manipulate cluster traffic using scapy to inject malicious packets.

> Warning:
> This snippet is for educational illustration only. Never run or use for unethical purposes.

# Pseudo-Exploit: Packet Injection on MySQL Cluster Segment
from scapy.all import *

# Replace with real IP addresses of cluster nodes
SRC_IP = "10...10"
DST_IP = "10...11"
PORT = 1186  # Default NDB Cluster port

# Malicious payload that could trigger unexpected code path
malicious_payload = b"FAKE_CLUSTER_MSG;DROP DATABASE mysql;--"

# Craft the packet as if it comes from another node
packet = IP(src=SRC_IP, dst=DST_IP) / TCP(sport=PORT, dport=PORT) / Raw(load=malicious_payload)

# Send the crafted packet to the victim node
send(packet, count=1)

print("Malicious payload sent to MySQL Cluster node.")

The code creates an IP packet pretending to be from one cluster node to another.

- The payload is fake—an attacker could inject anything recognizable to the cluster protocol to exploit deserialization, memory corruption, or command execution bugs.
- Requires the attacker to have access to the underlying segment and knowledge of the cluster’s setup.

Why Is This Exploit Challenging?

- Needs privileged access: The attacker must be on the same network segment and have strong rights—usually insider access.
- Human interaction needed: A legitimate user must do something, which makes mass exploitation unlikely, but targeted attacks possible.
- Cluster-specific: The exploit depends on intimate knowledge of cluster communication and possibly custom protocol packets.

Official Advisory:

Oracle Critical Patch Update Advisory - April 2022

Vulnerability detail (Oracle):

NVD - CVE-2022-21490

MySQL Release Notes:

MySQL Cluster Release Notes

If your cluster is on any of the affected versions listed above, upgrade as soon as possible.

Segment security: Limit physical and network access to MySQL Cluster communication segments.

3. Network monitoring: Use intrusion detection to watch for abnormal packet injections or cluster node behaviors.
4. Training: Make sure admins know not to interact with clusters from untrusted networks/devices.

Stay safe, stay patched, and monitor your clusters!

*If you found this post helpful or want deep dives on database security, let me know below. For up-to-date security info, always start with official vendor advisories.*

References

- Oracle CPU April 2022 - CVE-2022-21490
- NVD - CVE-2022-21490
- MySQL Cluster Documentation

Timeline

Published on: 04/19/2022 21:15:00 UTC
Last modified on: 05/10/2022 17:47:00 UTC