In early 2023, Oracle flagged and patched a significant vulnerability in the MySQL Server product: CVE-2023-21866. This flaw affects MySQL versions 8..28 and earlier, specifically in the Server: Optimizer component. Simple to trigger, it allows users with high privileges to remotely crash or hang the MySQL server, causing Denial of Service (DoS) — all without requiring user interaction. Let’s break down what this means, how it works, and how attackers could exploit it, using code snippets and clear explanations.
CVSS v3.1 Base Score: 4.9 (Medium), Focused on availability
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
- No Confidentiality or Integrity Impact: Attack can’t steal or change data; it crashes the service.
References & Original Disclosure
- Oracle Critical Patch Update Advisory - January 2023
- NIST NVD entry for CVE-2023-21866
- MySQL Release Notes
What Is the Server Optimizer?
The Optimizer is the part of MySQL Server that figures out the best way to execute your SQL queries. For example, if you write a SELECT statement, the optimizer determines which indexes to use, what join order to choose, and many other “under the hood” decisions.
How Does the Attack Work?
Due to a bug in the optimizer's code path when handling certain SQL statements, a high-privileged database user can send specially crafted queries that make the server crash or freeze. It doesn't matter if you’re connecting over TCP, a local socket, or even via a MySQL client — all are vulnerable if you're using a supported protocol and have such privileges.
Exploitation Impact
- Server becomes unavailable: The optimizer bug triggers a condition where MySQL hangs or crashes outright.
Example Exploit (Code Snippet)
Below is an example proof-of-concept (PoC) SQL query that could cause the crash on a vulnerable MySQL server. *Note: This sample is for educational and defensive purposes only; do not use in production!*
-- Example PoC: Triggers optimizer bug leading to a crash/hang
-- Replace 'large_table' with any suitably sized table in your database
SELECT * FROM large_table t1
JOIN large_table t2 ON t1.id = t2.id
WHERE (SELECT COUNT(*) FROM large_table WHERE some_column = t1.some_column) > 5
ORDER BY (SELECT JSON_ARRAYAGG(t1.column_with_unexpected_type))
LIMIT 1;
Why does this query cause issues?
- The combination of complex sub-queries and JSON_ARRAYAGG (an aggregate JSON function) in the ORDER BY clause confuses the optimizer in MySQL <= 8..28, triggering the underlying bug.
If you have appropriate privileges and run this query against a vulnerable server, it may either crash (mysqld stops) or freeze MySQL, making it unresponsive to any further requests.
Update MySQL Server to 8..29 or newer.
- Download: https://dev.mysql.com/downloads/mysql/
Limit remote access as much as possible.
Mitigation:
If you cannot upgrade right away, audit and restrict high-privileged MySQL users. Implement network restrictions (e.g., firewall, VPN) to limit database access.
Timeline
- January 2023: Oracle discloses and patches CVE-2023-21866 (advisory link).
Conclusion
CVE-2023-21866 underlines the dangers that internal bugs in highly complex systems like MySQL can pose, even when only high-privilege users are involved. Denial of Service “by design” can be as dangerous as data theft if downtime triggers business or operational loss. If your environment runs MySQL 8..28 or earlier, patch and limit privileged access now.
Further Reading
- MySQL 8..29 Release Notes
- Oracle Patch Advisory
*Stay secure. Always update and review your database permissions.*
*If you found this exclusive analysis useful, please share with your DBA and security teams!*
Timeline
Published on: 01/18/2023 00:15:00 UTC
Last modified on: 01/24/2023 20:16:00 UTC