In July 2023, Oracle published a security advisory regarding CVE-2023-22078, a denial-of-service (DoS) vulnerability in MySQL Server, specifically within the Optimizer component. This flaw affects MySQL versions 8..34 and earlier as well as 8.1.. With a CVSS 3.1 Base Score of 4.9, it’s not the most critical, but it's still important to be aware of, especially if you manage MySQL infrastructure.

User Interaction: None

- CVSS Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

References:

- Oracle Critical Patch Update Advisory - July 2023
- NVD Detail CVE-2023-22078

What Does This Vulnerability Do?

CVE-2023-22078 exists in the Optimizer part of MySQL Server. The optimizer is the brain behind how your queries are planned and executed for best performance.

This vulnerability allows a highly privileged user (like one with database SUPER, PROCESS, or ALL PRIVILEGES) who can connect to your MySQL Server over the network to send a crafted SQL query or sequence that will trigger a hang or a crash. This causes a full denial of service—no one can process queries until the server is restarted.

*There is no risk of data being read or changed by an unauthorized user, but it’s a classic DoS: taking out the whole database with one hit.*

You run MySQL 8..34 or older, or 8.1. (community or enterprise).

- You allow users with high privileges (like dbas, or certain applications) to run queries over the network.

This does not affect older MySQL versions or MariaDB, nor does it allow a low-privilege or unauthenticated user to crash the server—attackers must already have admin-type access to the database.

How the Attack Works

The issue is in query parsing or execution inside the optimizer. A privileged user submits a special query that confuses the optimizer, leading to infinite loops, assertion failures, or resource exhaustion (crash or hang).

Oracle hasn’t published detailed PoC steps, but based on common patterns and public advisories, you might see something like:

Code Example (Pseudo-PoC)

> Note: This is a simplified illustration—not an actual working exploit, but demonstrates the kind of logic that could be involved.

-- Assume user is authenticated with full privileges
USE testdb;

-- This type of malformed query targets optimizer weaknesses
SELECT * FROM (
    SELECT a.* 
    FROM big_table AS a 
    JOIN big_table AS b ON a.id = b.id
    WHERE a.status = 'active'
    ORDER BY CASE WHEN a.value >  THEN b.value ELSE a.value END
    LIMIT 100000000
) AS subquery_with_edge_case;

- Why does it work?: The deeply nested and complex ORDER BY with subqueries can sometimes reveal optimizer bugs. In affected versions, a more devious formulation could lead to an assertion failure, throwing the MySQL process into a crash or infinite loop.
- In real cases, attackers might further fuzz query parameters or use EXPLAIN/ANALYZE to overload the optimizer engine specifically.

Result: MySQL becomes unresponsive or exits, requiring a manual restart.

When exploited, the server log might show

/usr/sbin/mysqld: Assertion `some_optimizer_assertion_failed' failed.
mysqld: [ERROR] mysqld got signal 6;
[ERROR] Aborting

Or:

[Warning] Timeout waiting for query cache lock
[ERROR] Unexpected server exit: Query optimizer hang

1. Patch Immediately

Upgrade to MySQL 8..35 or later, or the fixed version in the 8.1.x series (as released by Oracle). Download fresh releases here:

- Oracle MySQL Downloads

- Oracle Advisory: Oracle CPU July 2023 (Find CVE-2023-22078 in the long table)
- NIST CVE Record: NVD CVE-2023-22078
- MySQL Release Notes: MySQL 8. Release Notes

Final Thoughts

CVE-2023-22078 is a reminder that even trusted internal admin tools can become accidental attack surfaces. While this bug needs a “high privilege” attacker already inside your system, the impact—completely locking up or crashing the whole MySQL instance—is severe from an availability perspective.

Patch as soon as possible and check your user privileges. Even trusted admins can make mistakes, and automated attack tools sometimes exploit these bugs when they go public.

For a technical deep dive and future PoCs, watch the Percona and oss-security mailing lists and security blogs.

Timeline

Published on: 10/17/2023 22:15:00 UTC
Last modified on: 10/27/2023 15:15:00 UTC