CVE-2022-21607 in MySQL Serverinfo

Summary

by MITRE • 10/19/2022

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/26/2026

The vulnerability identified as CVE-2022-21607 resides within the MySQL Server optimizer component of Oracle MySQL, affecting versions 8.0.28 and earlier. This represents a significant security weakness that falls under the Common Weakness Enumeration category of CWE-121, which deals with buffer overflow conditions in heap-based memory management. The flaw specifically manifests in how the server processes certain optimizer operations, creating a pathway for malicious actors to exploit the system through network-based attacks.

The technical nature of this vulnerability involves an exploitable condition that allows a high-privileged attacker with network access to compromise the MySQL Server functionality. The attack vector requires network connectivity and can be executed through multiple protocols, making it particularly concerning for environments where MySQL servers are exposed to external networks. The vulnerability operates at a fundamental level within the server's operational framework, specifically targeting the optimizer module that handles query execution planning and resource allocation.

From an operational impact perspective, successful exploitation of this vulnerability results in a complete denial of service condition where the MySQL Server becomes unresponsive or crashes repeatedly. The CVSS 3.1 score of 4.9 indicates a moderate to high severity threat, with availability impacts being the primary concern as reflected by the availability vector component. This type of vulnerability can severely disrupt database operations, causing business interruption and potential data loss scenarios, particularly in mission-critical applications that depend on continuous database availability.

The attack surface for this vulnerability extends across multiple network protocols, increasing the potential for exploitation and reducing the barriers for attackers to gain access. Organizations running affected MySQL versions face significant risk, especially when database servers are not properly isolated within secure network zones or when adequate network segmentation is not implemented. The vulnerability's ease of exploitation means that attackers with minimal privileges can potentially cause system-wide outages, making it a critical concern for database administrators and security teams responsible for maintaining system availability and integrity.

Effective mitigation strategies for CVE-2022-21607 include immediate patching of affected MySQL Server installations to versions that contain the necessary security fixes. Organizations should also implement network segmentation to limit access to database servers, employ strict access controls, and monitor for unusual network activity that might indicate exploitation attempts. Additionally, maintaining regular backups and implementing robust monitoring solutions can help detect and respond to potential exploitation attempts more effectively. The vulnerability underscores the importance of keeping database software updated and following security best practices for database server hardening.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

10/19/2022

Moderation

accepted

CPE

ready

EPSS

0.01024

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!