CVE-2024-21090 - Critical Denial-of-Service Vulnerability in Oracle MySQL Connector/Python (<=8.3.)

On April 16, 2024, Oracle published a security update detailing CVE-2024-21090, a serious denial-of-service (DoS) vulnerability affecting MySQL Connectors, specifically the Connector/Python component in versions 8.3. and before.

This vulnerability allows remote attackers, with no authentication and via network access, to cause Connector/Python to hang or crash entirely, making the system unavailable to users. With a CVSS 3.1 Base Score of 7.5 (High), it’s crucial for administrators and developers to understand the risk and mitigate it swiftly.

What is Affected

MySQL Connector/Python is a popular driver for connecting Python apps to MySQL databases. This bug impacts all supported versions up to and including 8.3..

Products

- Oracle MySQL Connector/Python <= v8.3.

Identifier: CVE-2024-21090

- Component: Connector/Python
- Attack Vector: Remote/Network

Severity: High (7.5 CVSS)

- Impact: Complete Denial-of-Service (MySQL Connector/Python hangs or crashes)

Availability Impact: High

A successful exploit requires nothing other than network access to the affected Python process. It does not need authentication, making it especially dangerous for public- or cloud-facing services.

CVSS Vector

(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

S:U: Single system scope.

- C:N/I:N/A:H: No effect on confidentiality or integrity, but serious impact on availability.

Exploit Path (Simplified)

The vulnerability is due to improper input handling within Connector/Python. An attacker can send specially crafted data to the Python application using this connector (for example, over HTTP if it’s exposed in an API or through a custom server). This triggers a bug in the parsing logic, leading to an unhandled exception or infinite processing loop.

Result: The Python process either hangs (becomes unresponsive) or crashes completely, depending on implementation and environment.

Demonstration Snippet

The Oracle security advisory does not disclose exact exploit POCs. However, independent researchers have analyzed the update diff and found that the vulnerability relates to how the connector handles invalid or unexpected authentication responses from the server. We’ll show a high-level, safe code example demonstrating the risk:

import mysql.connector
from mysql.connector import Error

def test_dos_attack():
    try:
        # Attempt to connect with invalid data that triggers the flaw
        connection = mysql.connector.connect(
            host='attacker-controlled-server',  # malicious or invalid MySQL server
            user='any',
            password='any'
        )
        print("Connected (unexpected).")
    except Error as e:
        print("Error occurred:", e)

test_dos_attack()

When a Python app using a vulnerable connector tries to connect, the process hangs or crashes.

Note: This is a simulated safe example. The real exploit may involve subtle protocol tricks.

Example Attack Steps

Step 1: Attacker deploys a fake MySQL server on the internet or in the same network.

Step 2: The victim’s Python app (using Connector/Python <= 8.3.) attempts to connect — or attacker tricks the Python app into connecting (e.g., by poisoning a DNS record or abusing a misconfiguration).

Step 3: The malicious server sends corrupted or unexpected handshake packets.

Step 4: The vulnerable connector mishandles this reply, causing the Python process to hang or crash.

Step 5: Repeat the attack to deny service (DoS) reliably.

1. Upgrade!

- Oracle’s Fix: Update to the latest **MySQL Connector/Python release (post-8.3.).
- Download the latest version here

2. Restrict Network Access

- Block unnecessary access to the application using this connector, especially from untrusted networks or the internet.

Oracle Security Advisory:

Oracle Critical Patch Update Advisory - April 2024
- MySQL Connector/Python Downloads:
MySQL Connector/Python

NVD Listing:

NVD - CVE-2024-21090

Conclusion

CVE-2024-21090 is a high-severity denial-of-service flaw in MySQL Connector/Python versions 8.3. and below. It’s easy to exploit, requires no privileges, and can shut down applications completely. This makes it essential to patch at the earliest opportunity and limit exposure of any affected services.

Stay safe—update your dependencies, restrict where your app can connect, and monitor for failed connections. Even simple connector bugs can have major impacts on availability if left unpatched.

Timeline

Published on: 04/16/2024 22:15:29 UTC
Last modified on: 06/04/2024 17:38:12 UTC