CVE-2021-35594 in MySQL Cluster
Summary
by MITRE • 10/20/2021
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior and 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/26/2021
The vulnerability identified as CVE-2021-35594 represents a significant security flaw within Oracle MySQL Cluster's implementation, specifically affecting multiple version branches including 7.4.33 and earlier, 7.5.23 and earlier, 7.6.19 and earlier, and 8.0.26 and earlier. This vulnerability resides within the Cluster: General component of the MySQL Cluster product, indicating it affects fundamental cluster operations rather than specific subsystems. The classification as a difficult-to-exploit vulnerability suggests that while the attack vector is not trivial, it remains a serious concern for environments where physical network access is possible. The CVSS score of 6.3 indicates a medium to high severity impact, with full scores across confidentiality, integrity, and availability domains, demonstrating the comprehensive nature of potential compromise. The attack vector AV:A (Adjacent network) combined with high attack complexity AC:H and high privileges requirement PR:H indicates that an attacker must have physical access to the network segment where the MySQL Cluster operates and possess elevated privileges within the system.
The technical nature of this vulnerability stems from insufficient security controls in the cluster communication protocols, allowing for potential man-in-the-middle attacks or unauthorized access to cluster operations. The requirement for human interaction UI:R suggests that while automated exploitation may be challenging, social engineering or legitimate user compromise could facilitate successful attacks. The impact of a successful exploitation can result in complete takeover of the MySQL Cluster, which represents a catastrophic outcome for database security. This vulnerability aligns with CWE-287 (Improper Authentication) and potentially CWE-312 (Sensitive Data Exposure) as it allows unauthorized access to cluster operations that could expose sensitive database information and compromise the entire cluster infrastructure. The attack pattern corresponds to techniques described in the MITRE ATT&CK framework under T1078 (Valid Accounts) and T1566 (Phishing for Information) as attackers would need to leverage legitimate access or compromise user credentials to execute successful attacks.
The operational impact of this vulnerability extends beyond simple data compromise to include complete system takeover and potential data destruction. Organizations running affected MySQL Cluster versions face significant risk of unauthorized database access, data manipulation, and service disruption that could affect business continuity. The requirement for high privileged access and physical network segment access means that while the attack surface is limited, the potential damage is severe. Database administrators and security teams must consider this vulnerability in their risk assessment frameworks, particularly in environments where physical security controls may be insufficient or where network segmentation is inadequate. The vulnerability's impact on availability is particularly concerning as cluster takeover could result in complete service outages and data unavailability for extended periods. Organizations should prioritize patch management and security updates to address this vulnerability, as the consequences of exploitation could include regulatory compliance violations, financial losses, and reputational damage. The CVSS vector indicates that while this vulnerability requires specific conditions to exploit successfully, the potential consequences make it a critical priority for remediation in production environments.