CVE-2023-21913 in MySQL Server
Summary
by MITRE • 04/18/2023
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/18/2025
The vulnerability identified as CVE-2023-21913 represents a critical availability threat within Oracle MySQL Server's optimizer component, affecting versions 8.0.31 and earlier. This flaw resides in the server's query optimization engine, which is responsible for determining the most efficient execution plan for database queries. The vulnerability manifests when the optimizer encounters specific query patterns that trigger a memory management issue during query processing. The affected component operates at a fundamental level of database operations, making it particularly dangerous as it can disrupt core database functionality. This issue is classified under CWE-476, which deals with null pointer dereference vulnerabilities, indicating that the optimizer fails to properly handle certain edge cases during query analysis. The vulnerability's impact is amplified by its ability to cause complete denial of service conditions, where legitimate database operations become impossible due to system crashes or hangs.
The technical exploitation of this vulnerability requires an attacker with high-privileged network access to the MySQL server, typically through established database connections or administrative protocols. Attackers can craft specific SQL queries that, when processed by the vulnerable optimizer, trigger memory corruption or resource exhaustion within the MySQL server process. The attack vector spans multiple protocols including TCP/IP connections, Unix domain sockets, and named pipes, making it particularly challenging to defend against. The vulnerability's low attack complexity (AC:L) and high privilege requirement (PR:H) indicate that while the technical means to exploit are relatively straightforward, the attacker must already possess administrative or elevated database user credentials. This characteristic aligns with ATT&CK technique T1078.004, which involves legitimate credentials used for persistence and privilege escalation. The successful exploitation results in a complete system hang or frequent crash scenario that can be repeatedly triggered, effectively rendering the database service unavailable to legitimate users.
The operational impact of CVE-2023-21913 extends beyond simple service disruption, potentially causing cascading failures in applications dependent on MySQL services. Organizations running affected MySQL versions face significant risk of data unavailability, application downtime, and potential financial losses due to extended service interruptions. The vulnerability's availability impact score of 4.9 (CVSS 3.1) reflects the severity of service disruption, as the database server can become completely unresponsive to legitimate queries. This type of vulnerability is particularly concerning for mission-critical systems where database availability is paramount for business operations. The repeated crash capability means that even after initial mitigation attempts, the system remains vulnerable to continued exploitation, requiring complete service restarts or system reboots to restore normal operations. This makes the vulnerability particularly dangerous in production environments where service uptime is critical. Organizations may also face compliance and regulatory implications if database availability is compromised, especially in industries with strict uptime requirements such as financial services, healthcare, or telecommunications.
Mitigation strategies for CVE-2023-21913 should prioritize immediate patch deployment from Oracle, as the vendor has released security updates addressing this specific vulnerability. Organizations should implement network segmentation and access controls to limit the attack surface, ensuring that only authorized administrative users can establish connections to database servers. Database administrators should consider implementing query monitoring and limiting the types of queries that can be executed with elevated privileges. The implementation of intrusion detection systems can help identify potential exploitation attempts by monitoring for unusual query patterns or connection behaviors. Additionally, organizations should maintain regular backup and recovery procedures to minimize downtime during potential exploitation events. Security teams should conduct regular vulnerability assessments and penetration testing to identify similar issues within their MySQL deployments. The vulnerability's classification as a high-privilege requirement means that proper access control and privilege management should be enforced through role-based access controls and regular audit of administrative accounts. Organizations should also consider implementing database activity monitoring solutions that can detect and alert on anomalous query behavior that might indicate exploitation attempts. The ATT&CK framework's emphasis on credential compromise and privilege escalation makes this vulnerability particularly relevant for organizations implementing comprehensive security monitoring and incident response procedures.