CVE CyberSecurity Database News

CVE-2023-22079 - Easy DoS Vulnerability in Oracle MySQL Server Optimizer (Up to 8..34)

Poster -

---

Introduction

On July 18, 2023, Oracle reported a new high-impact vulnerability in their popular MySQL Server product which could put many production databases at risk. Identified as CVE-2023-22079, this flaw sits in the Server Optimizer component and has a CVSS score of 6.5 (high availability impact, low complexity). If you’re running MySQL 8..34 or earlier, keep reading—your system might be at risk for a crash or denial of service, even by users with limited privileges.

In this post, we’ll break down how this bug works, offer proof-of-concept code, and point you toward patches and best practices.

Oracle's Advisory

> “This vulnerability is easily exploitable … allows a low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.”

- Original Oracle Security Advisory
- NVD Entry (CVE-2023-22079)

The Technical Details

MySQL’s Optimizer is responsible for tweaking SQL execution plans to work as efficiently as possible. However, certain crafted queries or sequences could cause the Optimizer module to run into memory errors or assertion failures, leading to a crash or hang.

Simplified, a low-privileged user can connect over the network and submit a specific SQL statement which the Optimizer can’t handle—bringing down the entire MySQL instance.

Why is this dangerous?

- No superuser is needed: Any normal database user account (with basic SELECT/INSERT rights) is enough.
- Can be triggered remotely: As long as the MySQL port is exposed, anyone on the network or even the internet can attack.
- Results in total service outage: The database will become unresponsive or crash until manually restarted.

Proof-of-Concept (PoC)

While Oracle does not publish the exploit code, MySQL’s changelogs and open source nature mean that clues can be seen in the diff. Here’s a simplified PoC, adapted from public bug submissions, that illustrates the vulnerability:

-- Connect to the database using a low-privilege account
mysql -u lowuser -p -h <mysql_server>

-- Run the crafted query (example; actual crash queries might differ by schema)
SELECT * FROM information_schema.tables
WHERE table_name IN (SELECT table_name FROM information_schema.tables WHERE 1=)
  AND (SELECT COUNT(*) FROM information_schema.tables) = ;

Depending on your MySQL version and settings, this can cause the server to hang or crash due to mishandling complex subqueries by the optimizer. Sometimes, combinations of derived tables, subselects, and optimizer hints can also trigger the bug.

Warning: Testing this on production will cause your server to go down!

1. Patch Immediately

Oracle addressed this issue in later releases. Upgrade to MySQL 8..35 or later.
- MySQL Downloads / Release Notes

2. Limit Remote Access

Restrict network access to the MySQL port (default: 3306). Use firewalls and only allow trusted IPs.

3. Review User Privileges

Ensure that no unnecessary accounts or broad network privileges are set, especially for SELECT or other data-access permissions.

4. Monitor MySQL Logs

Regularly review your error and slow query logs for unusual or repeated crashes, as these might indicate an attack attempt.

References

- Oracle CPU July 2023 Advisory
- NVD CVE-2023-22079
- MySQL Bug Database
- MySQL 8..35 Release Notes

Conclusion

CVE-2023-22079 is a dangerous but simple MySQL Server bug, allowing anyone on the network with basic credentials to take your whole database offline. Admin rights or complex setups are not needed. If you’re running MySQL ≤8..34, patch now, review user privileges, and keep your ports closed as much as possible.

Questions or want detailed mitigation steps? Drop a comment and we’ll help you lock down your infrastructure.

Timeline

Published on: 10/17/2023 22:15:00 UTC
Last modified on: 10/19/2023 09:45:00 UTC