CVE-2021-35645 in MySQL Serverinfo

Summary

by MITRE • 10/20/2021

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2021-35645 represents a significant availability risk within Oracle MySQL Server's optimizer component, affecting versions 8.0.26 and earlier. This flaw resides in the server's query optimization engine, which is responsible for determining the most efficient execution plan for database queries. The vulnerability's classification as easily exploitable indicates that attackers with high privileges and network access can leverage this weakness to disrupt database operations. The CVSS score of 4.9 reflects the moderate severity of the availability impact, with the potential to cause complete denial of service through hangs or repeated crashes of the MySQL server process.

The technical nature of this vulnerability stems from improper handling within the optimizer module when processing specific query patterns. Attackers with elevated privileges can craft malicious queries or manipulate existing query execution paths to trigger memory corruption or resource exhaustion conditions within the optimizer. This type of flaw typically involves buffer overflows, integer underflows, or improper validation of input parameters during query compilation and optimization phases. The vulnerability's impact is particularly concerning because it affects the core database engine functionality, making it difficult to isolate or mitigate without complete service disruption.

Operational implications of this vulnerability extend beyond simple service interruption, as database availability is fundamental to business operations in most enterprise environments. When exploited successfully, the vulnerability can cause MySQL Server to become unresponsive or crash repeatedly, requiring manual intervention for recovery and potentially leading to extended downtime. The high privilege requirement suggests that attackers would need either administrative access to the database or network-level access combined with valid credentials, though the ease of exploitation means that even limited access could prove sufficient. Organizations relying on MySQL for critical applications face significant risk of operational disruption, particularly in environments where database availability is mission-critical.

Mitigation strategies for CVE-2021-35645 primarily involve immediate patching of affected MySQL Server installations to versions 8.0.27 or later, where Oracle has addressed the underlying optimizer flaw. Network segmentation and access controls should be reinforced to limit privileged access to database servers, implementing the principle of least privilege for database accounts and administrative access. Monitoring solutions should be enhanced to detect unusual query patterns or performance degradation that might indicate exploitation attempts. Additionally, implementing database firewalls or query filtering mechanisms can help prevent malicious query execution patterns from reaching the optimizer component. Organizations should also maintain regular backup and recovery procedures to ensure rapid restoration of services in case of successful exploitation. The vulnerability aligns with CWE-121, which addresses stack-based buffer overflow conditions, and may relate to ATT&CK technique T1499.004 for network denial of service attacks. Regular vulnerability assessments and penetration testing should be conducted to identify similar weaknesses in database configurations and access controls.

Responsible

Oracle

Reservation

06/28/2021

Disclosure

10/20/2021

Moderation

accepted

CPE

ready

EPSS

0.01883

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!