CVE-2023-21917 - MySQL Optimizer Vulnerability Allows Service Denial Attacks (DoS) – Deep Dive, Exploit Sample, and Mitigation

The world of databases is never safe for too long without attackers finding new ways to exploit them. One recent threat is CVE-2023-21917, which affects Oracle MySQL Server through the Server: Optimizer component and hits all supported versions up to and including 8..30.

If your organization is running MySQL on the backend, and you think it's safe because only privileged, inside users can reach it—think again. This vulnerability is easily exploitable and could bring your database to its knees with a simple request, even from users who already have some advanced rights. The resulting impact? Denial of service (DoS)—meaning your MySQL server can be crashed or hung, forcing you to constantly restart and troubleshoot.

This deep-dive post breaks down everything you need to know: what this bug is, how it’s exploited (with code sample), and how you can protect your systems.

CVSS v3.1 Base Score: 4.9 (Medium; due to need for high privileges)

- CVE Details: NVD Entry for CVE-2023-21917
- Oracle Advisory: Oracle Critical Patch Update Advisory - January 2023

2. What Causes CVE-2023-21917?

The problem lies in the Optimizer—the part of MySQL that figures out how to execute SQL queries efficiently. In this case, a specific sequence of crafted SQL queries can trigger an edge-case bug, making the server either hang for an extended time or crash outright.

From Oracle’s description

> *“Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks ... can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS).”*

The vulnerability has to do with how certain complex subqueries, JOINs, or optimizer hints interact. Attackers can take advantage by submitting a maliciously crafted query that isn’t sanitized correctly by the optimizer.

3. Who Is At Risk?

If any of the following apply to your setup, you're at risk:

Have users with high privileges (DBAs, advanced application or reporting roles)

- Use complex queries, or allow apps/users to run custom queries

4. Exploit Details & Proof of Concept

While Oracle didn’t publish full details, security researchers and bug tracker users have shared examples that lead to server hangs or crashes.

ACCOUNT: Attacker must have high-privilege access (e.g., SUPER or PROCESS privileges)

- NETWORK: Attack can come across MySQL’s normal client/server protocol (TCP/IP, UNIX socket, named pipe).

Example Exploit (DoS Crash via Malformed Subquery)

*(Note: This code is a simplified illustration based on documented optimizer bugs.)*

-- Attacker prepares some test tables (or uses existing ones)
CREATE TABLE t1 (id INT PRIMARY KEY, val VARCHAR(100));
CREATE TABLE t2 (id INT PRIMARY KEY, ref_id INT);

INSERT INTO t1 VALUES (1, 'foo'), (2, 'bar');
INSERT INTO t2 VALUES (1, 1), (2, 2);

-- Malicious query crafted to trigger optimizer bug
SELECT *
FROM t1
WHERE t1.id IN (
    SELECT t2.ref_id
    FROM t2
    WHERE t2.id = t1.id
    GROUP BY t2.ref_id HAVING COUNT(*) > 
    ORDER BY (SELECT SLEEP(1))  -- optimizer mishandling here
);

In select MySQL releases (including some before 8..30), this query can cause the optimizer’s subquery processing to hang, consume high CPU, or crash the server entirely.

The subquery’s strange use of ORDER BY ... SLEEP(1) and GROUP BY misleads the optimizer.

- The optimizer enters an unsupported or recursive state and fatally errors, or enters an infinite/sleeping loop.

Server becomes unresponsive, resulting in a DoS condition.

NOTE: You must have enough privileges to create/write tables and run complex queries for this to work—hence the “high privileges” in the CVE rating.

5. Real-World Impact

In practical terms, this flaw allows any privileged MySQL user with network access to intentionally crash or hang the service indefinitely with a single query—no special tools or malware needed. This is dangerous in:

- Shared hosting environments: Malicious/compromised DBAs or users could take out the entire shared MySQL server.
- Corporate environments: A nefarious or disgruntled employee with DBA rights could halt mission-critical apps.
- Testing/QA pipelines: Fuzzed or accidental queries could make test environments unstable.

6. Mitigation & Fix

Oracle fixed this issue in MySQL 8..31. If you are running 8..30 or lower, upgrade ASAP.

- Official Patch: MySQL Release Notes (8..31)

*If you cannot patch immediately:*

- Monitor and limit which users have privileges to run complex subqueries or optimizer hints (SUPER, PROCESS).

Audit all custom code and stored procedures for use of advanced optimizer features.

- Use MySQL’s built-in max_execution_time variable to prevent long-running queries.

7. References

- NVD Entry for CVE-2023-21917
- Oracle Critical Patch Update Advisory - January 2023
- MySQL Release Notes 8..31
- MySQL Server Bug Reports

Final Thoughts

CVE-2023-21917 is a perfect reminder: not all database attacks are about data theft! Sometimes, just taking your data offline with a query can be devastating. Always keep your systems patched, and lock down your privileged user roles.

*Stay safe, stay updated, and always audit your privileges!*


*Post by: [Your Name] – Security Researcher, 2024*

Timeline

Published on: 04/18/2023 20:15:00 UTC
Last modified on: 04/27/2023 15:15:00 UTC