CVE-2017-3329 in MySQL Server
Summary
by MITRE
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Thread Pooling). Supported versions that are affected are 5.5.54 and earlier, 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable" vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/20/2020
The vulnerability identified as CVE-2017-3329 resides within the MySQL Server component, specifically within the Server: Thread Pooling subcomponent of Oracle MySQL installations. This flaw affects multiple version ranges including 5.5.54 and earlier, 5.6.35 and earlier, and 5.7.17 and earlier versions, making it a widespread concern across the MySQL ecosystem. The vulnerability's classification as easily exploitable indicates that attackers require minimal prerequisites to leverage this weakness, needing only network access through multiple protocols without requiring authentication credentials. This accessibility significantly broadens the attack surface and increases the likelihood of successful exploitation in real-world scenarios.
The technical nature of this vulnerability stems from improper handling within the thread pooling mechanism of MySQL Server, which governs how concurrent connections are managed and processed. When exploited, the flaw allows an unauthenticated attacker to send specially crafted network requests that trigger a condition causing the MySQL server to enter a state of hang or experience frequent, repeatable crashes. This behavior effectively results in a complete denial of service condition where legitimate users cannot access the database services. The underlying mechanism likely involves memory corruption or resource exhaustion within the thread management subsystem, though the specific technical details of the code flaw remain implementation-specific.
From an operational impact perspective, this vulnerability poses a significant threat to database availability and system reliability. The complete denial of service condition can disrupt business operations, particularly in environments where MySQL databases serve critical applications and services. Organizations may experience extended downtime, service degradation, and potential data access interruptions that could cascade into broader operational failures. The repeatable nature of the crash means that attackers can reliably trigger the vulnerability multiple times, making it a persistent threat that cannot be easily mitigated through simple restarts or temporary workarounds.
The CVSS 3.0 scoring of 7.5 reflects the severity of this vulnerability with a base score indicating high impact, particularly in the availability domain. The vector breakdown shows AV:N (network access required), AC:L (low attack complexity), PR:N (no privileges required), and UI:N (no user interaction needed), which collectively demonstrate that this vulnerability can be exploited by anyone with network connectivity to the affected system. The availability impact score of A:H indicates that the vulnerability can cause high-level disruption to services. This vulnerability aligns with CWE-121, which covers stack-based buffer overflow conditions, and could potentially map to ATT&CK technique T1499.004 for network denial of service attacks. Organizations should prioritize immediate patching of affected systems, implement network segmentation to limit exposure, and consider monitoring for suspicious network traffic patterns that might indicate exploitation attempts. The vulnerability demonstrates the critical importance of maintaining up-to-date database software and implementing proper network access controls to prevent unauthorized access to database services.