CVE-2022-21595 Overview
CVE-2022-21595 is a denial of service vulnerability in the MySQL Server product of Oracle MySQL, specifically affecting the C API component. This vulnerability allows a high-privileged attacker with network access to cause a complete denial of service condition, resulting in the MySQL Server becoming unresponsive or crashing repeatedly.
Critical Impact
Successful exploitation enables attackers to cause a complete denial of service (DoS) of MySQL Server through a hang or frequently repeatable crash, potentially disrupting critical database operations and dependent applications.
Affected Products
- Oracle MySQL versions 5.7.36 and prior
- Oracle MySQL versions 8.0.27 and prior
- NetApp OnCommand Insight
- NetApp OnCommand Workflow Automation
- MariaDB (multiple versions)
Discovery Timeline
- October 18, 2022 - CVE-2022-21595 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-21595
Vulnerability Analysis
This vulnerability resides in the C API component of MySQL Server. The flaw is characterized as difficult to exploit, requiring network access through multiple protocols. The attack requires high-level privileges to execute, meaning an attacker must already possess administrative or elevated credentials to the MySQL Server instance.
The vulnerability specifically impacts the availability of the database server without affecting confidentiality or integrity of stored data. When successfully exploited, the vulnerability triggers conditions that cause the MySQL Server process to either hang indefinitely or enter a crash loop, resulting in complete service unavailability.
Root Cause
The vulnerability stems from improper handling within the C API component of MySQL Server. While Oracle has not disclosed the specific technical details of the root cause, the vulnerability classification indicates an issue in how the C API processes certain requests or operations when invoked by a privileged user over network protocols. The lack of specific CWE classification (NVD-CWE-noinfo) suggests the exact code-level issue remains undisclosed by the vendor.
Attack Vector
The attack requires network access and can be executed through multiple protocols supported by MySQL Server. The exploitation scenario involves:
- An attacker must first obtain high-privileged access to the MySQL Server instance
- The attacker then sends specially crafted requests through the C API via network protocols
- These requests trigger the vulnerable code path, causing the server to hang or crash
- The attack can be repeated to maintain persistent denial of service
Due to the high privilege requirement and difficult exploitation complexity, this vulnerability is less likely to be exploited in opportunistic attacks. However, it poses a risk in scenarios involving insider threats or compromised administrative accounts.
Detection Methods for CVE-2022-21595
Indicators of Compromise
- Unexpected MySQL Server crashes or restarts without clear operational cause
- Repeated service hangs correlating with specific privileged user sessions
- Anomalous C API activity patterns from high-privileged accounts
- Database availability incidents following administrative network access
Detection Strategies
- Monitor MySQL error logs for unexpected crash signatures and hang conditions
- Implement alerting on unusual patterns of service restarts or availability drops
- Track privileged user activity and correlate with service disruption events
- Deploy network monitoring to identify anomalous protocol usage patterns targeting MySQL services
Monitoring Recommendations
- Enable comprehensive MySQL audit logging for privileged account activities
- Configure service health monitoring with rapid alerting for MySQL availability issues
- Establish baseline behavior patterns for C API operations to detect anomalies
- Review authentication logs for privileged access from unexpected network locations
How to Mitigate CVE-2022-21595
Immediate Actions Required
- Update Oracle MySQL Server to versions newer than 5.7.36 for the 5.7.x branch or newer than 8.0.27 for the 8.0.x branch
- Review and restrict high-privilege account access to only necessary personnel
- Implement network segmentation to limit attack surface for MySQL Server instances
- Audit existing privileged accounts and remove unnecessary elevated permissions
Patch Information
Oracle has addressed this vulnerability in their October 2022 Critical Patch Update (CPU). Administrators should apply the latest security patches from Oracle as outlined in the Oracle Security Alert CPU October 2022. For NetApp products, refer to the NetApp Security Advisory NTAP-20221028-0013 for specific remediation guidance.
Organizations using affected MariaDB versions should consult MariaDB security advisories for applicable patches addressing this vulnerability in their specific version branches.
Workarounds
- Restrict network access to MySQL Server to trusted networks and hosts only
- Implement strict access controls for high-privileged database accounts
- Enable connection rate limiting to mitigate potential crash loop attacks
- Consider deploying MySQL proxy solutions that can filter and validate C API requests
# Configuration example - Restrict MySQL network access
# Edit MySQL configuration file (my.cnf or my.ini)
[mysqld]
# Bind to specific trusted interface instead of all interfaces
bind-address = 192.168.1.100
# Limit maximum connections to mitigate DoS impact
max_connections = 100
# Enable connection control plugin for rate limiting
plugin-load-add = connection_control.so
connection_control_failed_connections_threshold = 3
connection_control_min_connection_delay = 1000
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
