CVE-2022-21351 Overview
CVE-2022-21351 is a vulnerability in the MySQL Server product of Oracle MySQL, specifically affecting the Server: Optimizer component. This easily exploitable vulnerability allows a low-privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful exploitation can result in an unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of MySQL Server, as well as unauthorized update, insert, or delete access to some of MySQL Server's accessible data.
Critical Impact
Attackers with low-level network access can trigger complete Denial of Service conditions and gain unauthorized data modification capabilities on affected MySQL Server deployments.
Affected Products
- Oracle MySQL 8.0.27 and prior versions
- NetApp OnCommand Insight
- NetApp OnCommand Workflow Automation
Discovery Timeline
- 2022-01-19 - CVE-2022-21351 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21351
Vulnerability Analysis
This vulnerability resides in the Optimizer component of MySQL Server, which is responsible for query optimization and execution planning. The flaw can be exploited by authenticated users with minimal privileges to disrupt database availability and integrity. The vulnerability has both availability and integrity impacts, meaning attackers can not only crash the database service but also manipulate data in unauthorized ways.
The attack requires network access but does not require user interaction, making it suitable for automated exploitation once an attacker has obtained low-level credentials to the MySQL server. The vulnerability affects the stability of the query optimization process, which can be triggered through specially crafted queries or inputs processed by the Optimizer.
Root Cause
The root cause lies within the MySQL Server Optimizer component's handling of certain operations. While Oracle has not disclosed specific technical details about the underlying flaw, the vulnerability classification indicates improper handling that leads to both availability disruption (crashes and hangs) and data integrity issues (unauthorized data modification). The Optimizer component is particularly sensitive since it processes and transforms queries before execution, making flaws in this area potentially impactful across various database operations.
Attack Vector
The attack vector is network-based, allowing exploitation through multiple protocols supported by MySQL Server. An attacker needs only low-level privileges—typically basic authentication credentials—to initiate the attack. The vulnerability can be exploited without any user interaction, and the attack does not change scope (remains contained within MySQL Server context).
Exploitation involves sending malicious requests through network protocols that MySQL Server supports. The Optimizer component processes these requests in a way that triggers either a denial of service condition (hang or crash) or allows unauthorized data manipulation. The low attack complexity indicates that exploitation is straightforward once the attacker has established network access and basic authentication.
Detection Methods for CVE-2022-21351
Indicators of Compromise
- Unexpected MySQL Server crashes or hangs, particularly during query optimization phases
- Unusual authentication attempts or connections from unexpected sources with low-privileged credentials
- Abnormal query patterns or execution times indicating potential exploitation attempts
- Unauthorized data modifications in MySQL Server tables without corresponding legitimate user activity
Detection Strategies
- Monitor MySQL error logs for repeated crash events or optimizer-related errors
- Implement database activity monitoring to detect unusual query patterns targeting the Optimizer
- Review authentication logs for suspicious low-privileged account access patterns
- Deploy network intrusion detection rules to identify potential MySQL exploitation traffic
Monitoring Recommendations
- Enable MySQL query logging and analyze for anomalous optimizer behavior
- Configure alerts for MySQL service interruptions and automatic restart events
- Monitor database integrity through regular checksum comparisons of critical tables
- Implement real-time monitoring of MySQL connection patterns and authentication failures
How to Mitigate CVE-2022-21351
Immediate Actions Required
- Upgrade Oracle MySQL Server to a version newer than 8.0.27 as soon as possible
- Review and restrict network access to MySQL Server to trusted hosts only
- Audit and minimize low-privileged user accounts that have network access to the database
- Implement network segmentation to limit exposure of MySQL services
Patch Information
Oracle has addressed this vulnerability in their January 2022 Critical Patch Update. Administrators should apply the security patches available through the Oracle Security Alert January 2022. For NetApp products that bundle MySQL, refer to the NetApp Security Advisory for specific guidance on affected versions and available updates.
Workarounds
- Restrict MySQL Server network access using firewall rules to allow only trusted IP addresses
- Review and reduce privileges for database accounts that do not require elevated access
- Implement connection rate limiting to mitigate potential denial of service attempts
- Consider deploying MySQL Proxy or connection pooling solutions that can filter suspicious queries
# Configuration example - Restrict MySQL network binding
# Edit my.cnf or my.ini configuration file
[mysqld]
# Bind to specific trusted interface instead of all interfaces
bind-address = 127.0.0.1
# Limit connections per user account
max_user_connections = 10
# Enable general query log for monitoring (performance impact - use temporarily)
general_log = 1
general_log_file = /var/log/mysql/mysql-query.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
