CVE-2022-21290 in MySQL Cluster
Summary
by MITRE • 01/19/2022
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/24/2022
The vulnerability identified as CVE-2022-21290 represents a significant security weakness within Oracle MySQL Cluster's implementation that operates at the network communication layer. This flaw exists within the Cluster: General component of MySQL Cluster and affects all versions up to and including 8.0.27, making it a widespread concern for organizations utilizing this database clustering solution. The vulnerability's classification as difficult to exploit indicates that while the attack vector is not trivial, it remains a serious threat that can be leveraged by determined adversaries who possess specific privileges and access to the physical network infrastructure where MySQL Cluster nodes operate.
The technical nature of this vulnerability stems from insufficient security controls within the MySQL Cluster's communication protocols, particularly when nodes are connected through shared physical network segments. Attackers with high privileged access to the physical communication segment can exploit this weakness to gain complete control over the MySQL Cluster environment. The vulnerability requires human interaction from individuals other than the attacker, suggesting that social engineering or insider cooperation may be necessary components of a successful attack. This requirement does not diminish the severity but rather indicates that the attack chain involves multiple vectors of compromise that must be orchestrated carefully.
The operational impact of successful exploitation of CVE-2022-21290 is catastrophic for affected organizations, as it can result in complete takeover of the MySQL Cluster system. This level of compromise affects all three core security principles defined by the CVSS framework: confidentiality, integrity, and availability. The high base score of 6.3 reflects the significant damage potential, with the CVSS vector AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H indicating that the attack requires access to an adjacent network segment, high complexity, high privilege requirements, human interaction, and results in complete impact across all security dimensions. The vulnerability's placement within the Cluster: General component suggests that it affects fundamental clustering operations rather than specific features, making the potential impact more widespread and difficult to isolate.
This vulnerability aligns with CWE-284 (Improper Access Control) and CWE-310 (Cryptographic Issues) categories, as it involves unauthorized access to cluster resources through compromised network communication channels. From an ATT&CK framework perspective, this vulnerability maps to techniques involving network sniffing, credential access through network-based attacks, and privilege escalation through physical network access. Organizations should implement immediate mitigations including network segmentation to isolate MySQL Cluster nodes from general network traffic, enhanced physical security controls for network infrastructure, and regular security assessments to identify potential attackers with access to shared physical segments. Additionally, upgrading to MySQL Cluster versions beyond 8.0.27 represents the most effective long-term solution to eliminate this vulnerability and maintain secure cluster operations.