CVE-2021-35590 in MySQL Cluster
Summary
by MITRE • 10/20/2021
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/26/2021
The vulnerability identified as CVE-2021-35590 represents a significant security flaw within Oracle MySQL Cluster components that affects multiple version lines including 7.4.33 and earlier, 7.5.23 and earlier, 7.6.19 and earlier, and 8.0.26 and earlier releases. This vulnerability resides within the Cluster: General component of the MySQL Cluster product suite, which serves as the foundational architecture for distributed database operations. The affected versions demonstrate a critical weakness in the cluster's communication protocols and access control mechanisms, particularly when operating in environments where physical network segment access is possible. The vulnerability's classification as difficult to exploit indicates that while the attack vector requires specific conditions and prerequisites, the potential impact is severe enough to warrant immediate attention from security professionals.
The technical nature of this vulnerability stems from insufficient protection mechanisms within the MySQL Cluster's communication infrastructure, allowing high privileged attackers who can access the physical communication segment to potentially compromise the entire cluster environment. This attack requires the adversary to have physical access to the network segment where MySQL Cluster operates, which creates a specific attack surface that differs from traditional network-based exploits. The vulnerability's CVSS 3.1 score of 6.3 reflects the severity of potential impacts across confidentiality, integrity, and availability domains, with the attack vector classified as adjacent network access (AV:A), high complexity (AC:H), and high privilege requirements (PR:H). The requirement for human interaction from someone other than the attacker suggests that the exploit may involve social engineering elements or require specific operational conditions that must be orchestrated by an insider or someone with legitimate access to the system.
The operational impact of successfully exploiting CVE-2021-35590 could result in complete takeover of the MySQL Cluster, effectively granting the attacker full control over the distributed database environment. This compromise would enable unauthorized data access, modification, and deletion operations across all nodes within the cluster, potentially affecting thousands of database transactions and applications dependent on the cluster's availability. The vulnerability's potential to affect multiple version streams simultaneously increases the attack surface and creates widespread exposure across different MySQL Cluster deployments. Organizations running affected versions face significant risk of data breaches, service disruption, and compliance violations that could result in substantial financial and reputational damage.
Organizations should immediately implement mitigation strategies including upgrading to patched versions of MySQL Cluster, implementing network segmentation to limit physical access to cluster nodes, and deploying additional monitoring controls to detect unauthorized access attempts. The vulnerability aligns with CWE-284 (Improper Access Control) and CWE-310 (Cryptographic Issues) categories, reflecting the fundamental flaws in access control mechanisms and potential cryptographic weaknesses within the cluster's communication protocols. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and lateral movement within network segments, potentially enabling attackers to establish persistent access and expand their operational capabilities within the target environment. Security teams must prioritize patch management processes and conduct thorough network access reviews to prevent exploitation attempts that could lead to complete cluster compromise and data loss.