CVE-2022-21367 Overview
CVE-2022-21367 is a vulnerability affecting the MySQL Server product of Oracle MySQL, specifically within the Server: Compiling component. This security flaw allows a highly privileged attacker with network access to compromise MySQL Server through multiple protocols, potentially causing complete denial of service conditions and unauthorized data modification.
Critical Impact
Successful exploitation enables attackers to cause persistent crashes or hangs of MySQL Server (complete DoS), along with unauthorized modification of MySQL Server accessible data.
Affected Products
- Oracle MySQL versions 5.7.36 and prior
- Oracle MySQL versions 8.0.27 and prior
- NetApp OnCommand Insight
- NetApp OnCommand Workflow Automation
Discovery Timeline
- 2022-01-19 - CVE-2022-21367 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21367
Vulnerability Analysis
This vulnerability resides in the Server: Compiling component of Oracle MySQL Server. The flaw is characterized as easily exploitable, meaning that once an attacker has obtained high-level privileges, the technical barrier to exploitation is relatively low. The vulnerability impacts both the integrity and availability of the MySQL Server, allowing attackers to manipulate data and disrupt database operations.
The attack can be executed over the network through multiple protocols supported by MySQL, expanding the potential attack surface. While confidentiality is not directly impacted, the combination of data manipulation capabilities and denial of service conditions represents a significant threat to database operations and data integrity.
Root Cause
The vulnerability stems from improper handling within the MySQL Server's compilation component. While Oracle has not disclosed specific technical details about the underlying flaw (classified as NVD-CWE-noinfo), the nature of the vulnerability suggests issues in how the server processes certain compilation-related operations when accessed by privileged users over the network.
Attack Vector
The attack requires network access and high privileges on the MySQL Server. An authenticated attacker with administrative or elevated database privileges can send specially crafted requests through any of MySQL's supported network protocols. The vulnerability does not require user interaction, meaning exploitation can occur without any action from legitimate users.
The attacker can leverage this flaw to trigger repeated crashes or hangs in the MySQL Server process, effectively creating a denial of service condition. Additionally, the vulnerability permits unauthorized modification of certain data accessible through the MySQL Server, potentially compromising data integrity.
Detection Methods for CVE-2022-21367
Indicators of Compromise
- Unexpected MySQL Server crashes or service interruptions with frequent restart cycles
- Unusual compilation-related errors in MySQL error logs from privileged sessions
- Unexplained data modifications in MySQL databases without corresponding legitimate activity
- Abnormal network traffic patterns targeting MySQL ports from authenticated sessions
Detection Strategies
- Monitor MySQL error logs for repeated crash events and compilation component errors
- Implement database activity monitoring to track privileged user actions and detect anomalous behavior
- Configure alerting for MySQL service availability issues and unexpected restarts
- Audit privileged account activity for suspicious database operations
Monitoring Recommendations
- Enable comprehensive MySQL audit logging to capture all privileged operations
- Deploy network monitoring to detect unusual traffic patterns to MySQL Server instances
- Implement automated health checks for MySQL service availability
- Configure SIEM rules to correlate MySQL crash events with privileged user sessions
How to Mitigate CVE-2022-21367
Immediate Actions Required
- Apply Oracle's January 2022 Critical Patch Update to affected MySQL Server instances
- Review and restrict high-privilege access to MySQL Server to essential personnel only
- Implement network segmentation to limit exposure of MySQL Server instances
- Enable enhanced logging and monitoring on affected systems during the patch deployment window
Patch Information
Oracle has addressed this vulnerability in the Oracle Critical Patch Update January 2022. Organizations should upgrade MySQL Server to versions later than 5.7.36 for the 5.7.x branch or versions later than 8.0.27 for the 8.0.x branch. NetApp customers should refer to the NetApp Security Advisory NTAP-20220121-0008 for guidance on affected OnCommand products.
Workarounds
- Restrict network access to MySQL Server using firewall rules and access control lists
- Minimize the number of accounts with high privileges on MySQL Server
- Implement connection rate limiting to reduce the impact of potential DoS attempts
- Consider deploying MySQL behind a database proxy for additional access control
# Configuration example - Restrict MySQL network access
# Edit MySQL configuration file (my.cnf or my.ini)
[mysqld]
bind-address = 127.0.0.1
# Or specify trusted network interface only
# bind-address = 10.0.0.5
# Verify privileged users and remove unnecessary accounts
# mysql -u root -p -e "SELECT user, host FROM mysql.user WHERE Super_priv='Y';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
