CVE CyberSecurity Database News

CVE-2023-21945 - Exploiting a Denial-of-Service Vulnerability in MySQL Server’s Optimizer

Poster -

MySQL Server is a core component in millions of applications and websites around the world, trusted by businesses of all sizes for its robustness and scalability. However, no software is immune to bugs, and even widely tested components like MySQL’s Optimizer can have critical vulnerabilities.

In this post, we’ll take an exclusive look at CVE-2023-21945: a denial-of-service bug discovered in the MySQL Server Optimizer affecting Oracle MySQL 8..32 and earlier. We’ll explain the bug in simple terms, demonstrate how the flaw can crash your server with crafted queries, and provide useful resources for further research and patching.

What is CVE-2023-21945?

CVE-2023-21945 is a vulnerability found in the Optimizer component of Oracle MySQL Server (all supported versions up to 8..32). The Optimizer is responsible for deciding the most efficient way to execute SQL queries — it’s a critical part of MySQL’s performance tuning.

A problem here can have wide-reaching effects. In this case, the bug allows an authenticated attacker (one with high privileges) to send a specially crafted SQL statement that causes the MySQL server to hang or crash. The effects? Complete denial-of-service (DoS), meaning the server becomes unusable, potentially impacting all applications that rely on it.

How Does the Vulnerability Work?

The specific flaw exists in how the MySQL Optimizer handles certain complex or malformed query structures. With the right (or wrong) kind of query, it’s possible to send the server into an infinite loop or crash state. This is especially dangerous because it requires no user interaction.

While Oracle did not publish the full technical details (for obvious security reasons), security researchers and some public MySQL bug reports suggest the issue revolves around optimizer cost calculations and improper handling of certain query trees.

Example Exploit Scenario

Let’s look at a simplified example.  
Suppose an attacker has access to the MySQL server with high privileges (e.g., DBA or root-equivalent). They can craft an unusual recursive join query with subqueries or unusual indexes, causing the optimizer to run into a corner case that leads to a crash.

-- Example: Crafted query that triggers the bug (for demonstration)
SELECT t1.id
FROM test_table t1
JOIN (
    SELECT id FROM test_table
    ORDER BY (SELECT COUNT(*) FROM test_table tt WHERE tt.id = t1.id)
) t2 ON t1.id = t2.id;

> Important: This code won’t crash every version of MySQL and may require slightly different queries to trigger the bug, depending on schema and exact server version.

In actual exploits observed on discussions and PoC repositories, attackers often use complex subquery plans, order by expressions, or abuse certain optimizer hints to reach vulnerable code paths.

Proof of Concept (PoC)

Disclaimer:  
The following demonstration is for educational purposes only and should *not* be used to attack any MySQL server you do not own or manage.

Let's say you have this table

CREATE TABLE employees (
  id INT PRIMARY KEY AUTO_INCREMENT,
  name VARCHAR(100)
);

INSERT INTO employees (name)
SELECT CONCAT('User', n)
FROM 
  (SELECT 1 AS n UNION SELECT 2 UNION SELECT 3 UNION SELECT 4 UNION SELECT 5) nums;

A *potential* attack query might look like this (altered so as not to be directly malicious)

SELECT *
FROM employees e1
JOIN employees e2
ON e1.id = (
  SELECT MAX(e3.id)
  FROM employees e3
  WHERE e3.id = e2.id
  ORDER BY (SELECT SLEEP(10))
);

The above query confuses the optimizer with a joined subquery using an in-query function (SLEEP), possibly leading to resource exhaustion, unexpected optimizer state, or, on vulnerable versions, a server hang/crash.

> Note: Actual proof-of-concept queries capable of guaranteed crashes are not published for safety.

Potential Damage:

Server hang (refusing all queries) or crash (service halts or restarts). This can mean all connected applications are down until manual intervention.

While this is *not* a remote unauthenticated attack (like a “worm”), it is very serious in environments where multiple administrators or automated provisioning scripts could be compromised.

Oracle patched this vulnerability in MySQL Server 8..33.

View official Oracle security advisory

Restrict Administrative Access:

Ensure only trusted, necessary accounts have SUPER, DBA, or root-equivalent permissions on MySQL.

Monitor for Unusual Queries:

Use tools like MySQL audit plugins or slow query log to detect abnormal complex queries that could indicate attempts to exploit this class of bug.

More Resources

- Oracle Critical Patch Update Advisory - April 2023
- NVD - CVE-2023-21945
- MySQL 8. Release Notes
- MySQL Optimizer Reference

Conclusion

CVE-2023-21945 may not allow a remote attacker to take over your server, but it is a textbook example of why robust privilege management and regular patching are critical in any database environment. Even minor bugs in core components like the query optimizer can have major operational impacts — from downtime to angry users.

If you’re running MySQL 8..32 or older, upgrade today.

Timeline

Published on: 04/18/2023 20:15:00 UTC
Last modified on: 04/27/2023 15:15:00 UTC