CVE-2022-21348 in MySQL Serverinfo

Summary

by MITRE • 01/19/2022

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.27 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2022-21348 resides within the InnoDB storage engine component of Oracle MySQL Server affecting versions 8.0.27 and earlier. This represents a significant availability risk that stems from a flaw in how the database engine handles certain operations within its transaction processing framework. The vulnerability operates at a fundamental level of the database's core functionality, specifically within the InnoDB storage engine that manages data integrity and transactional consistency. Attackers with high privileges and network access can exploit this weakness to disrupt database operations through multiple network protocols, making it particularly concerning for environments where database availability is critical.

The technical nature of this vulnerability manifests as a condition that can lead to complete denial of service scenarios within the MySQL Server environment. When exploited, the flaw causes the database server to either hang indefinitely or experience repeated crashes that effectively render the service unavailable to legitimate users. This behavior occurs during normal database operations when specific transaction patterns trigger the underlying flaw in the InnoDB engine's memory management or lock handling mechanisms. The vulnerability's exploitability requires an attacker to possess high-privilege credentials, typically administrative access to the database system, which limits its exposure but does not eliminate the risk entirely. The CVSS score of 4.9 indicates a moderate severity level for availability impacts, though the potential for complete service disruption makes this a serious concern for database administrators.

The operational impact of this vulnerability extends beyond simple service interruption to encompass broader business continuity concerns for organizations relying on MySQL databases. When a MySQL server experiences the hang or crash conditions described in the vulnerability, it can lead to extended downtime that affects applications dependent on database connectivity. The repetitive nature of the crashes means that even brief exploitation attempts can result in prolonged service unavailability, making it difficult for administrators to maintain consistent database uptime. Organizations with mission-critical applications that depend on MySQL Server may face significant operational disruptions, particularly in environments where database availability is paramount for business operations. The vulnerability's ability to affect multiple protocols increases the attack surface and makes it more challenging to defend against through network segmentation or protocol filtering approaches.

Mitigation strategies for CVE-2022-21348 should prioritize immediate patching of affected MySQL Server installations to version 8.0.28 or later, which contains the necessary fixes for the InnoDB storage engine flaw. Organizations should also implement strict access controls and privilege management to minimize the risk of unauthorized exploitation, as the vulnerability requires high-privilege credentials to execute successfully. Network monitoring should be enhanced to detect unusual patterns of database server instability or repeated connection failures that might indicate exploitation attempts. Database administrators should consider implementing redundant database systems or failover mechanisms to maintain service availability during potential exploitation windows. The vulnerability aligns with CWE-119 which addresses memory corruption issues, and may relate to ATT&CK technique T1499.004 for network denial of service attacks. Regular vulnerability assessments and penetration testing should be conducted to identify similar weaknesses in database infrastructure and ensure comprehensive protection against similar threats.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

01/19/2022

Moderation

accepted

CPE

ready

EPSS

0.01360

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!