CVE CyberSecurity Database News

CVE-2024-21244 - Deep Dive Into MySQL Server Telemetry Vulnerability (8.4.2/9..1 and Earlier)

Poster -

A new vulnerability has emerged in the MySQL Server product of Oracle MySQL, specifically affecting the Server: Telemetry component. Tracked as CVE-2024-21244, this issue impacts all supported MySQL versions up to 8.4.2 and 9..1. Although the Common Vulnerability Scoring System (CVSS) rates this as a relatively low-severity issue (CVSS 3.1 score: 2.2), the risk should not be underestimated—especially in high-security environments.

This article breaks down CVE-2024-21244 in simple language, explaining how it works, who’s at risk, and what can be done. You'll also find code snippets, demonstration of the possible exploit, and direct links to trusted references, all tailored for those who want a clear and practical understanding.

Impact: Read access to a subset of accessible data (confidentiality impact only)

- CVSS Details: 2.2 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N)

What’s Telemetry in MySQL?

Telemetry in MySQL is a component that collects and possibly shares metrics, logs, or other diagnostic data. It’s typically intended to help with:

Usage analytics.

However, improper implementation or configuration can unintentionally expose sensitive information, which seems to be at the heart of CVE-2024-21244.

Who Can Exploit This?

- High Privileged Attacker: The attacker must already have high-level privileges (like a DBA or admin).

Remote Access: Attack can be executed over the network, using normal MySQL protocols.

> Not just anyone can do this. The threat mainly comes from insiders or attackers who’ve already managed to obtain high credentials.

What Can Be Leaked?

- Only a subset of the MySQL data, as available to the compromised account, specific to what’s accessible through telemetry.

Attack Complexity

Exploiting this bug is hard ("AC:H"), most likely requiring specialized knowledge of MySQL internals and how telemetry is implemented or misconfigured.

Example Exploit Scenario

Imagine a user with super privileges connects to MySQL server remotely and interacts with telemetry endpoints. Due to the flaw, they can use crafted queries to gather unauthorized information that should not be exposed via telemetry.

Sample Exploit Code

While Oracle does not publish direct PoC, based on CVE write-ups and telemetry design, a typical approach may look like:

1. Connect to the MySQL Server

import mysql.connector

conn = mysql.connector.connect(
    host="target.mysql.server",
    user="high_priv_user",
    password="SuperSecret!"
)
cursor = conn.cursor()

2. Query Telemetry Tables

Suppose there’s a specific internal table/view mysql.telemetry_logs that incorrectly exposes info:

cursor.execute("SELECT * FROM mysql.telemetry_logs WHERE data_type='sensitive'")
rows = cursor.fetchall()
for row in rows:
    print(row)

3. Extract Exposed Data

Information could include query history, error logs revealing object names or credentials, or diagnostic info.

Note: This is a hypothetical snippet for understanding. The actual table/view and structure depends on your server’s telemetry setup.

Solution

- Upgrade to MySQL: Immediately update to the latest supported version above 8.4.2 and 9..1. This closes the vulnerability as per Oracle’s July 2024 Critical Patch Update.

Temporary Steps

1. Restrict high privileges: Only assign root/admin roles to trusted staff.

Network restrictions: Employ firewalls or network rules to limit database access to trusted IPs.

For further hardening, review Oracle’s Security Best Practices.

References

- Oracle Security Alert for CVE-2024-21244
- CVE Details - CVE-2024-21244
- MySQL Security Practices
- MySQL 8.4.2 Release Notes – Bug Fixes

Conclusion

CVE-2024-21244 highlights an uncommon weakness in the MySQL Server’s telemetry function. While difficult to exploit and requiring high privileges, it still opens the door for information leaks under specific circumstances. The scope is narrow but worth fixing, especially if your organization operates in regulated or sensitive sectors.

Actions:

Stay safe, and keep your database tight!

*If you found this deep dive helpful, consider following the references for more technical details. For urgent fixes, always apply Oracle’s latest patches as soon as possible.*

Timeline

Published on: 10/15/2024 20:15:14 UTC
Last modified on: 10/16/2024 20:35:00 UTC