CVE-2022-21253 in MySQL Serverinfo

Summary

by MITRE • 01/19/2022

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2022-21253 represents a significant availability threat within Oracle MySQL Server versions 8.0.27 and earlier, specifically within the Server: Optimizer component. This flaw manifests as a denial of service condition that can be exploited by attackers possessing high privileges and network access through multiple protocols. The vulnerability's classification as easily exploitable indicates that the attack surface is relatively broad and the technical requirements for exploitation are minimal, making it particularly concerning for database environments where availability is critical. The CVSS 3.1 score of 4.9 reflects the moderate to high impact on system availability, with the vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H indicating network-based access with low attack complexity, high privileges required, no user interaction needed, and universal scope with no impact on confidentiality or integrity.

The technical nature of this vulnerability stems from improper handling within the MySQL Server optimizer module, which is responsible for determining the most efficient execution plan for database queries. When exploited, the vulnerability causes the MySQL Server process to either hang indefinitely or experience repeated crashes that can lead to complete service disruption. This occurs due to specific conditions in the optimizer's query processing logic that fail to properly validate or handle certain input parameters, leading to memory corruption or resource exhaustion scenarios. The flaw specifically affects the server's ability to maintain stable operation during query execution, creating a cascading effect that can bring down database services and impact all applications dependent on the affected MySQL instance.

The operational impact of CVE-2022-21253 extends beyond simple service disruption to potentially compromise business continuity and data availability for organizations relying on MySQL databases. Systems affected by this vulnerability can experience complete database outages that may last until manual intervention occurs, requiring database administrators to restart services and potentially recover from backup configurations. The high privilege requirement for exploitation suggests that this vulnerability is more likely to be targeted by insider threats or attackers who have already gained administrative access to the system, though the network accessibility means that it could also be exploited by external attackers who have bypassed initial access controls. Organizations with critical database workloads face significant risk of service degradation or complete unavailability during exploitation periods.

Organizations should prioritize immediate patching of affected MySQL Server instances to remediate CVE-2022-21253, as the vulnerability presents a clear and present danger to database availability. The recommended mitigation strategy involves upgrading to MySQL Server version 8.0.28 or later, which contains the necessary fixes to address the optimizer-related flaws. Network segmentation and access control measures should be reinforced to limit the attack surface, particularly ensuring that only authorized administrative users have the high privileges required to exploit this vulnerability. Monitoring systems should be enhanced to detect unusual patterns in database service behavior that might indicate exploitation attempts, including unexpected process restarts or abnormal resource consumption. Additionally, implementing regular security assessments and vulnerability scanning processes will help identify similar issues within the broader database ecosystem and ensure comprehensive protection against related threats. This vulnerability aligns with CWE-121 and CWE-122 categories related to buffer overflow conditions and memory corruption, and represents a potential vector for attacks categorized under the MITRE ATT&CK framework's privilege escalation and denial of service techniques.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

01/19/2022

Moderation

accepted

CPE

ready

EPSS

0.01976

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!