CVE-2022-21297 in MySQL Server
Summary
by MITRE • 01/19/2022
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/17/2025
The vulnerability identified as CVE-2022-21297 represents a critical availability issue within Oracle MySQL Server's optimizer component, affecting versions 8.0.26 and earlier. This flaw resides in the server's query optimization logic, where improper handling of specific SQL operations can lead to system instability. The vulnerability's classification as easily exploitable indicates that attackers with high privileges and network access can leverage this weakness to disrupt MySQL server operations. The CVSS score of 4.9 reflects the significant availability impact, with the potential to cause complete denial of service through system hangs or repeated crashes that can be triggered repeatedly by an attacker. The attack vector requires network access via multiple protocols, suggesting that the vulnerability can be exploited from external networks or through internal network connections, making it particularly concerning for database environments that are exposed to untrusted networks.
The technical nature of this vulnerability stems from how MySQL's optimizer processes certain query execution plans, particularly when handling complex or malformed SQL statements that trigger specific code paths within the server's internal logic. When these conditions are met, the optimizer's processing routine can enter an infinite loop or encounter memory corruption issues that result in the server becoming unresponsive or crashing entirely. This behavior aligns with CWE-843, which describes improper use of potentially dangerous API calls, particularly when dealing with query optimization and execution. The vulnerability's exploitation does not require authentication beyond what is already granted to high-privileged users, which means that an attacker who has already gained access to a MySQL account with sufficient permissions can leverage this flaw to cause system-wide disruptions. The complete denial of service condition indicates that the crash or hang affects the entire server instance, potentially impacting all database operations and applications that depend on the affected MySQL service.
The operational impact of CVE-2022-21297 extends beyond simple service disruption, as it can compromise the reliability and availability of critical database infrastructure that many enterprise applications depend upon. Organizations running affected MySQL versions face the risk of prolonged outages that can affect business operations, data access, and application performance across their entire infrastructure. The vulnerability's ability to cause repeated crashes means that even if an initial attack is mitigated, the system may remain unstable and require manual intervention to restore normal operations. This type of availability-focused attack aligns with ATT&CK technique T1499.004, which covers network denial of service attacks, and represents a significant concern for organizations that rely on continuous database availability for their operations. The high privilege requirement for exploitation suggests that this vulnerability is particularly dangerous in environments where database administrators or application accounts have elevated access rights, as these accounts can be targeted to gain unauthorized control over database services. Organizations implementing proper access controls and privilege management may be partially protected, but the vulnerability's impact on system availability means that even limited access can result in catastrophic service disruption.
Mitigation strategies for CVE-2022-21297 should prioritize immediate patching of affected MySQL Server installations to version 8.0.27 or later, which contains the necessary fixes for this optimizer-related vulnerability. Organizations should also implement network segmentation and access controls to limit exposure of MySQL services to only trusted networks and authorized users. Monitoring and alerting systems should be configured to detect unusual patterns of database server crashes or hangs that could indicate exploitation attempts. Database administrators should review and restrict high-privileged user accounts, implementing principle of least privilege where possible. The vulnerability's characteristics suggest that implementing additional logging and monitoring around query execution and optimizer activities could help detect exploitation attempts before they cause complete service disruption. Organizations should also consider implementing redundant database systems or failover mechanisms to minimize the impact of potential exploitation attempts, particularly in mission-critical environments where database availability is paramount for business continuity. Regular vulnerability assessments and penetration testing should be conducted to identify similar issues in other database components and ensure comprehensive protection against related threats.