CVE-2021-35644 in MySQL Serverinfo

Summary

by MITRE • 10/20/2021

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2021-35644 represents a significant availability risk within Oracle MySQL Server's optimizer component, affecting versions 8.0.26 and earlier. This flaw resides in the server's query optimization logic and specifically targets high-privileged attackers who can establish network connections to the MySQL service. The vulnerability's classification as easily exploitable indicates that attackers with minimal technical barriers can leverage this weakness, making it particularly dangerous in environments where MySQL servers are accessible over networks. The attack vector requires network access through multiple protocols, suggesting that various connection methods such as TCP/IP, Unix sockets, or named pipes could potentially be exploited. The CVSS base score of 4.9 reflects the moderate severity of the availability impact, though the potential for complete denial of service makes this vulnerability particularly concerning for production environments where database availability is critical.

The technical nature of this vulnerability stems from improper handling within the MySQL Server's optimizer module, which is responsible for determining the most efficient execution plan for database queries. When exploited, the vulnerability allows an attacker with high privileges to craft specific queries or operations that trigger a condition leading to server hang or repeated crashes. This behavior constitutes a complete denial of service scenario where legitimate users cannot access the database services, effectively rendering the MySQL server unusable. The vulnerability's impact is particularly severe because it affects the core server functionality rather than individual database objects or user accounts. The fact that this vulnerability requires high privilege access indicates that it likely involves operations that can manipulate internal server state or execution paths, potentially through malformed SQL statements or specific query patterns that cause the optimizer to enter an unstable state. The repeated crash behavior suggests that once triggered, the server may not recover automatically without manual intervention, requiring system administrators to restart services and potentially restore from backups.

The operational impact of CVE-2021-35644 extends beyond simple service disruption to potentially affect business continuity and data availability. Organizations running affected MySQL versions face the risk of extended downtime, especially if they lack automated monitoring and recovery mechanisms. The vulnerability's requirement for high-privileged access means that it is typically not exploited by casual attackers but rather by insiders or attackers who have already gained administrative access to MySQL accounts. This makes the vulnerability particularly dangerous in environments where multiple administrators have elevated privileges, as any compromised account with sufficient permissions could be used to exploit this weakness. The availability impact of this vulnerability aligns with CWE-400, which covers unspecified errors in resource management, and the specific behavior of causing server hangs or crashes directly relates to CWE-119, which deals with improper access to memory locations. From an ATT&CK framework perspective, this vulnerability could be leveraged under the T1499.004 technique for network denial of service attacks, potentially as part of broader compromise operations where attackers seek to disrupt services and create confusion during active breaches.

Mitigation strategies for CVE-2021-35644 should prioritize immediate patching of affected MySQL Server installations to version 8.0.27 or later, which contains the necessary fixes for this vulnerability. Organizations should also implement network segmentation to limit access to MySQL services, ensuring that only authorized systems can connect to database servers. Access controls must be strictly enforced, with privilege levels carefully managed and regularly audited to prevent unauthorized high-privileged access. Additionally, implementing monitoring solutions that can detect unusual server behavior or repeated crashes can help identify exploitation attempts before they cause significant disruption. Database administrators should consider implementing connection throttling and query timeout mechanisms to limit the impact of potential exploitation attempts. Regular vulnerability assessments and penetration testing should be conducted to identify similar weaknesses in database configurations. The vulnerability's classification as a high-privilege requirement means that organizations should focus on reducing the number of accounts with elevated privileges and implementing the principle of least privilege across all database access points. System administrators should also prepare incident response procedures specifically addressing database service disruptions, including automated alerting and recovery protocols to minimize downtime when attacks are detected.

Responsible

Oracle

Reservation

06/28/2021

Disclosure

10/20/2021

Moderation

accepted

CPE

ready

EPSS

0.01883

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!