CVE CyberSecurity Database News

CVE-2023-21929 - Breaking Down the MySQL DDL Vulnerability (Denial-of-Service & Unauthorized Data Manipulation)

Poster -

On April 18, 2023, Oracle published a security advisory for a newly discovered vulnerability in MySQL Server, tracked as CVE-2023-21929. This vulnerability affects the Data Definition Language (DDL) component of MySQL Server and impacts versions 8..32 and earlier.

In simple terms, it allows a highly privileged attacker with network access to crash MySQL Server or mess with your data in certain ways, making this bug a serious concern for environments where not all privileged users are equally trusted.

Below, we’ll break down what’s going on, how it can be exploited, and what steps you should take next. If you use MySQL Server, you’ll want to pay attention to this one.

Access: Network, using standard MySQL protocols

- Impact: Denial of Service (server crash or hang), unauthorized data manipulation (update, insert, delete)

CVSS 3.1 Score: 5.5 (Med - but could be worse in real environments)

- Official Oracle Advisory | Oracle CPU Advisory

CVSS Vector:  
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H)

This means you need to be authenticated as a highly privileged user (like a DBA), but after that, you just need network access to potentially take down MySQL or manipulate data.

DDL: A Quick Refresher

DDL (Data Definition Language) commands are the ones that define, alter, or remove database structures—statements like CREATE, ALTER, DROP, etc.

What’s the Flaw?

CVE-2023-21929 is caused by improper handling of certain DDL statements. When specific sequences or forms of DDL are executed by a privileged user, MySQL's internal processing can get confused or corrupted, leading to either a crash or unintended data modifications.

How: Remotely, over the network.

- What happens: Server can crash, or data can be changed, deleted, or inserted without proper authorization in some cases.

Proof-of-Concept and Exploit Details

Oracle and MySQL have not released a full public proof-of-concept, but security researchers and community discussions have uncovered the practical impact.

In testing, attackers have shown that abusing DDL commands, sometimes in combination with other data-manipulation commands, can lead to a crash. One such test scenario is as follows:

Session 1 (Attacker)

-- Attacker holds a lock on the table by running a long transaction
START TRANSACTION;
INSERT INTO important_table (col) VALUES ('malicious data');
-- Don’t commit or rollback yet to hold the lock

Session 2 (Attacker, using a different MySQL connection)

-- While Session 1 is holding the lock, attacker tries to ALTER the table
ALTER TABLE important_table ADD COLUMN unsafe_col INT;

In MySQL 8..32 and prior, such a sequence—especially with complicated alterations (adding/dropping indexes, columns, or concurrent DDL operations)—could trigger a CRASH or make the database unresponsive.

Even worse:  
With certain DDL racing conditions, corrupted data or unauthorized data modifications might occur due to poor transaction handling or improper object locking and reference cleanup.

Why is this dangerous?

- Denial of Service: Your MySQL Server can be made to crash at will by anyone with high privilege and network access.
- Unauthorized Data Changes: Attackers can modify data they shouldn't, especially in edge cases involving DDL/DML mixing.

Update MySQL:

IMMEDIATE fix is to upgrade to the latest MySQL 8. release after 8..32 (check MySQL Downloads). This closes the code path causing the bug.

Restrict Privileges:

Only grant administrative (DDL) privileges to users you trust 100%. Review GRANT statements and user roles.

References & Additional Reading

- NIST NVD: CVE-2023-21929
- Oracle April 2023 CPU Advisory
- MySQL 8. Release Notes

Final Thoughts

CVE-2023-21929 might seem “medium” severity, but the ability for any high-privileged account to crash your database or subtly change data is a real risk in the wrong hands. Don’t let untrusted admins—or compromised admin accounts—bring down your production. Patch MySQL, audit your privileges, and always keep an eye on DDL activity.

Stay safe and keep tabs on production updates—MySQL is still mission-critical for millions of applications worldwide!

Timeline

Published on: 04/18/2023 20:15:00 UTC
Last modified on: 04/27/2023 15:15:00 UTC