CVE-2022-21254 in MySQL Serverinfo

Summary

by MITRE • 01/19/2022

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2022-21254 resides within the MySQL Server optimizer component of Oracle MySQL, affecting versions 8.0.27 and earlier. This issue represents a significant availability threat that demonstrates how seemingly minor flaws in database optimization logic can lead to complete service disruption. The vulnerability operates at the core of MySQL's query execution engine, where the optimizer is responsible for determining the most efficient execution plan for database queries. When exploited, this flaw can cause the MySQL server to enter a state of continuous hang or repeated crashes, effectively rendering the database service unavailable to legitimate users and applications.

The technical nature of this vulnerability stems from improper handling of specific query optimization scenarios within the server's execution engine. Attackers with low privilege levels and network access via multiple protocols can trigger this condition through carefully crafted database queries or connection patterns. The CVSS 3.1 scoring of 5.3 reflects the moderate severity of the impact, with the availability impact rating of high (A:H) indicating that successful exploitation will result in complete denial of service. The attack vector requires network access (AV:N) and is classified as difficult to exploit (AC:H), suggesting that while not trivial, the vulnerability can be leveraged by attackers with basic network connectivity and minimal privileges. The low privilege requirement (PR:L) means that even users with minimal database permissions can potentially trigger this condition, making it particularly concerning for environments where privilege escalation is not strictly controlled.

The operational impact of CVE-2022-21254 extends beyond simple service interruption, as it can lead to complete database unavailability that affects business operations across multiple applications dependent on the MySQL service. Organizations experiencing this vulnerability may face extended downtime, potential data loss, and significant operational disruption. The vulnerability's ability to cause frequently repeatable crashes means that even brief exploitation attempts can result in sustained service degradation, complicating incident response and recovery efforts. From an ATT&CK framework perspective, this vulnerability aligns with techniques involving service stoppage and availability disruption, potentially enabling attackers to achieve broader operational impact beyond immediate database access. The vulnerability's classification under CWE (Common Weakness Enumeration) would likely fall within categories related to resource management or execution flow control, specifically addressing how the system handles error conditions during query optimization.

Mitigation strategies for CVE-2022-21254 primarily focus on immediate patching of affected MySQL Server installations to version 8.0.28 or later, which contains the necessary fixes for the optimizer component. Network segmentation and access controls should be implemented to limit exposure of MySQL services to untrusted networks, reducing the attack surface available to potential exploiters. Database administrators should consider implementing connection throttling and query monitoring to detect anomalous patterns that might indicate exploitation attempts. Additionally, regular security assessments and penetration testing should be conducted to identify potential exploitation vectors, while maintaining comprehensive logging of database activities to facilitate incident response. Organizations should also develop and maintain incident response procedures specifically addressing database availability issues, ensuring rapid identification and remediation of similar vulnerabilities in the future. The vulnerability underscores the importance of maintaining current security patches and implementing robust network security controls to protect critical database infrastructure from availability-based attacks.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

01/19/2022

Moderation

accepted

CPE

ready

EPSS

0.01690

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!