CVE-2022-21339 in MySQL Serverinfo

Summary

by MITRE • 01/19/2022

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2022-21339 resides within the MySQL Server optimizer component of Oracle MySQL, affecting versions 8.0.27 and earlier. This represents a significant security weakness that operates at the core of database query processing and optimization logic. The vulnerability specifically targets the server's ability to handle certain complex query operations that involve multiple joins and subqueries, creating a scenario where malicious input can trigger unexpected behavior in the database engine's internal processing mechanisms.

This flaw manifests as a denial of service condition that can be exploited by attackers with high privileged access and network connectivity to the MySQL server. The CVSS score of 4.9 indicates a moderate severity threat with availability impacts, though the ease of exploitation combined with the potential for complete system disruption makes it particularly concerning. The vulnerability operates through multiple network protocols, increasing its attack surface and making it more challenging to defend against. The attacker must possess elevated privileges to leverage this vulnerability effectively, but the network access requirement means that even internal threats or compromised accounts could potentially exploit this weakness.

The technical implementation of this vulnerability involves the optimizer's handling of specific query execution paths that can lead to infinite loops or resource exhaustion conditions within the MySQL server process. When processing certain combinations of join operations, subqueries, and complex conditional logic, the server's query optimizer enters into problematic execution patterns that can cause the server to hang indefinitely or crash repeatedly. This behavior directly impacts the server's availability and can result in complete service disruption for database operations that rely on the affected MySQL instance.

The operational impact of this vulnerability extends beyond simple service interruption to potentially affect business continuity and data availability. Organizations running affected MySQL versions may experience unexpected downtime, particularly during peak query processing periods when complex analytical operations are common. The vulnerability's ability to cause repeated crashes means that even brief exploitation attempts can result in extended service outages. System administrators may find it difficult to diagnose the root cause of server instability, as the symptoms manifest as system hangs or crashes rather than clear error messages. This makes incident response more challenging and increases the potential for extended periods of service disruption.

Mitigation strategies for CVE-2022-21339 should prioritize immediate patching of affected MySQL installations to version 8.0.28 or later, which contains the necessary fixes for the optimizer component. Organizations should also implement network segmentation and access controls to limit the attack surface, ensuring that only authorized personnel have high-privileged network access to MySQL servers. Additionally, monitoring systems should be enhanced to detect unusual patterns of server hangs or crashes that might indicate exploitation attempts. Database administrators should consider implementing query execution limits and resource constraints to prevent single problematic queries from consuming excessive server resources. The vulnerability aligns with CWE-400 which addresses "Uncontrolled Resource Consumption" and potentially relates to ATT&CK technique T1499.004 for "Endpoint Denial of Service" within the context of database server operations. Organizations should also conduct regular vulnerability assessments and penetration testing to identify similar weaknesses in their database infrastructure and ensure that all systems remain up-to-date with security patches.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

01/19/2022

Moderation

accepted

CPE

ready

EPSS

0.01806

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!