CVE-2022-21594 in MySQL Serverinfo

Summary

by MITRE • 10/19/2022

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/25/2026

The vulnerability identified as CVE-2022-21594 resides within the MySQL Server optimizer component of Oracle MySQL database systems. This flaw affects versions 8.0.30 and earlier, representing a significant security concern for database administrators managing critical infrastructure. The vulnerability operates at the core of MySQL's query optimization engine, where the server processes and executes database operations. As a component of the Server: Optimizer subsystem, this issue impacts how MySQL handles complex query execution paths and resource allocation during database operations. The vulnerability's classification as easily exploitable indicates that attackers with high privileges and network access can leverage this flaw effectively, making it particularly dangerous in environments where database servers are accessible over networks. This characteristic aligns with CWE-20, which describes improper input validation, and reflects the fundamental nature of how database systems process user-provided queries and execution plans.

The technical nature of this vulnerability manifests as a condition that can cause complete denial of service attacks against MySQL Server instances. When exploited successfully, the flaw enables attackers to force the database server into a state of permanent hang or frequent crashes, effectively rendering the database service unavailable to legitimate users and applications. The specific mechanism involves the optimizer's handling of certain query execution scenarios that trigger memory management issues or resource allocation failures. This type of vulnerability represents a critical availability threat, as demonstrated by the CVSS 3.1 base score of 4.9, which emphasizes the high impact on system availability. The attack vector requires network access and high privileges, suggesting that the exploitation likely occurs through legitimate database connection channels rather than through external network infiltration. The vulnerability's impact is particularly severe because database servers are fundamental infrastructure components that support business-critical applications and services.

The operational consequences of this vulnerability extend beyond simple service disruption to potentially compromise entire business operations that depend on database availability. Organizations running affected MySQL versions face the risk of un planned downtime, which can result in significant financial losses, service interruptions, and potential data integrity issues. The complete denial of service capability means that database applications may experience extended periods of unavailability, potentially affecting customer-facing services, transaction processing, and backend operations. This vulnerability particularly impacts enterprise environments where database servers handle critical business functions, making the potential for cascading failures across interconnected systems highly likely. The vulnerability's exposure through multiple protocols indicates that attackers can potentially exploit it through various connection methods including TCP/IP, Unix sockets, or other database communication channels, increasing the attack surface and exploitation probability.

Mitigation strategies for CVE-2022-21594 should prioritize immediate patching of affected MySQL Server instances to the latest supported versions that contain the fix for this optimizer flaw. Database administrators should implement comprehensive monitoring solutions to detect unusual patterns of server behavior that might indicate exploitation attempts. Network segmentation and access control measures should be reinforced to limit the attack surface by restricting network access to database servers and implementing principle of least privilege for database accounts. Security teams should also conduct thorough vulnerability assessments to identify all affected systems and implement proper incident response procedures. The fix for this vulnerability aligns with ATT&CK technique T1499.004 which involves network denial of service attacks, and represents a critical patch management requirement for database environments. Organizations should also consider implementing database activity monitoring solutions that can detect anomalous query execution patterns and provide early warning of potential exploitation attempts. Regular security audits and vulnerability scanning should be conducted to ensure comprehensive protection against similar optimizer-based vulnerabilities that may emerge in the future.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

10/19/2022

Moderation

accepted

CPE

ready

EPSS

0.01161

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!