CVE-2022-21355 in MySQL Cluster
Summary
by MITRE • 01/19/2022
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/24/2022
The vulnerability identified as CVE-2022-21355 affects Oracle MySQL Cluster components and represents a significant security concern for database infrastructure. This issue specifically targets the Cluster: General component within MySQL Cluster deployments, impacting multiple version branches including 7.4.34 and earlier, 7.5.24 and earlier, 7.6.20 and earlier, and 8.0.27 and earlier. The vulnerability classification as difficult to exploit indicates that while the attack vector requires specific conditions, the potential impact on database security and availability remains substantial. The CVSS 3.1 scoring system rates this vulnerability with a base score of 2.9, reflecting low confidentiality impact, no integrity impact, and low availability impact, though the vector specifically indicates that the attack requires high privileges and human interaction beyond the initial attacker access.
The technical nature of this vulnerability stems from insufficient access controls within the MySQL Cluster's communication protocols, particularly when operating on physical network segments. Attackers with physical access to the hardware infrastructure where MySQL Cluster operates can exploit this weakness to gain unauthorized access to a subset of database cluster data. This access control failure demonstrates a weakness in the principle of least privilege implementation within the cluster's network security model. The vulnerability's classification under CWE 284 (Improper Access Control) reflects the fundamental security principle that unauthorized users should not be able to access system resources without proper authentication and authorization. The attack requires an attacker to possess high privileged access to the physical communication segment, indicating that the vulnerability may be exploited through network-level attacks or by individuals who have already compromised physical access to the infrastructure.
The operational impact of this vulnerability extends beyond simple data exposure to include partial denial of service conditions that can significantly affect database cluster operations. When successful, attacks can result in unauthorized read access to sensitive data stored within the MySQL Cluster environment, potentially exposing confidential information to malicious actors. The partial denial of service capability means that while the entire system may not be completely compromised, critical database operations could be disrupted, affecting business continuity and data availability. This vulnerability particularly affects organizations that rely heavily on MySQL Cluster for their database infrastructure, where unauthorized access to even partial data sets could have substantial business implications. The requirement for human interaction beyond the initial attacker access suggests that social engineering or insider threat components may be involved in successful exploitation attempts.
Organizations should implement immediate mitigation strategies including network segmentation to isolate MySQL Cluster environments from general network traffic, enhanced physical security measures to prevent unauthorized access to hardware infrastructure, and regular security audits to identify potential access control weaknesses. The vulnerability's specific requirements for high privileged access to physical network segments suggest that defensive measures should focus on network monitoring and access control enforcement. Security teams should consider implementing network access controls and firewall rules to limit communication between the MySQL Cluster and untrusted network segments. Additionally, regular updates and patch management processes should be prioritized to ensure that all affected MySQL Cluster versions are updated to secure releases that address this vulnerability. The ATT&CK framework classification for this vulnerability would likely fall under T1046 (Network Service Scanning) and T1068 (Exploitation for Privilege Escalation) techniques, as attackers would need to first establish access to the physical network segment before attempting to exploit the access control weakness. Organizations should also consider implementing intrusion detection systems that can monitor for unusual network communication patterns that might indicate exploitation attempts against MySQL Cluster components.