CVE CyberSecurity Database News

CVE-2024-21243 - Understanding the MySQL Telemetry Info Leak Vulnerability

Poster -

Summary:
CVE-2024-21243 is a newly disclosed vulnerability in Oracle MySQL Server, specifically in the Telemetry component. This vulnerability affects MySQL versions 8.4.2 and earlier, and 9..1 and earlier. While this bug has a low CVSS 3.1 score of 2.2 (Confidentiality impacts only), it could allow a high privileged attacker to read certain data from the affected MySQL Server over the network. Let’s break it down simply, look at how it works, how someone might exploit it, and what you should do about it.

What is CVE-2024-21243?

This is an information disclosure vulnerability in MySQL Telemetry. Telemetry is a feature that collects usage and internal operation data from your MySQL Server. The vulnerability can be triggered by an attacker with high privileges (like an administrative user) and network access.

CVSS Score: 2.2 (Low)

- CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

How Does the Vulnerability Work?

The bug lives in how Telemetry handles incoming queries and collects data for usage statistics. With sufficient privileges, an attacker can interact with the Telemetry interfaces, causing the server to leak data that should not be exposed, even to authenticated users.

Example Scenario

Suppose you have a DBA (Database Administrator) account, and you connect to the MySQL server. The vulnerability allows your user—via specific protocol requests or crafted queries—to access data from within the telemetry logs or engine, which may not be ordinarily available to user accounts. 

Exploit Details

> Note: This vulnerability is hard to exploit and requires high privileges. It’s not usable by an average hacker or regular database user.

Potential Exploit Code

Suppose the vulnerability is in overexposed telemetry logs, which should not be user readable. Here’s a very rough example for illustration—*NOT an actual exploit* but how a privileged user could probe telemetry data:

-- Assume you are connected as a user with SUPER or ALL privileges
-- This query tries accessing the telemetry logs

SELECT * FROM performance_schema.telemetry_log;

> Warning! The performance_schema.telemetry_log is a hypothetical table for demonstration. The real leakage may be from internal temporary tables or undocumented procedures.

Or, for a more direct example, the vulnerability might allow SELECT-like access to a portion of sensitive data, like so:

-- Accessing what should be protected telemetry configuration
SELECT * FROM information_schema.telemetry_config;

If the displayed data contains fragmentary sensitive details (like dynamic configuration entries or trace logs), an attacker could harvest those.

1. Update MySQL ASAP

Oracle has patched this issue in the July 2024 Critical Patch Update.

Upgrade to MySQL 8.4.3+ or 9..2+ immediately.

- Oracle MySQL Updates
- MySQL 8.4 Release Notes
- MySQL 9. Release Notes

- Oracle Security Advisory for CVE-2024-21243
- NVD Entry for CVE-2024-21243
- MySQL Release Notes
- About MySQL Telemetry

Final Thoughts

While CVE-2024-21243 is not a critical, mass-exploitable flaw, it highlights the necessity to always update, restrict who has high privileges, and audit access closely. Information leaks, however minor, can sometimes be chained with other bugs for more serious attacks. Make sure your MySQL servers aren’t running old, unpatched versions and keep a close eye on who has access to what!

If you’re still running MySQL 8.4.2 or 9..1 or earlier in production, patch now.

Timeline

Published on: 10/15/2024 20:15:13 UTC
Last modified on: 10/16/2024 20:35:41 UTC