CVE-2023-22064 in MySQL Serverinfo

Summary

by MITRE • 10/25/2023

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/08/2025

The vulnerability identified as CVE-2023-22064 resides within the MySQL Server optimizer component of Oracle MySQL, affecting versions 8.0.34 and earlier. This issue represents a significant availability risk that can be exploited by attackers with high privileges and network access through multiple protocols. The CVSS base score of 4.9 indicates a moderate severity level with substantial impact on system availability, as the vulnerability can lead to complete denial of service conditions through hangs or repeated crashes of the MySQL server instance.

The technical flaw manifests within the server optimizer module where specific query processing sequences trigger memory management issues or resource exhaustion conditions. This optimizer component is responsible for determining the most efficient execution plan for database queries, and the vulnerability exploits weaknesses in how the system handles certain complex query structures or edge cases during optimization phases. Attackers with high-privileged network access can craft malicious queries or manipulate existing query patterns to trigger the exploitable condition, causing the MySQL server to either hang indefinitely or crash repeatedly.

From an operational perspective, this vulnerability presents a critical threat to database availability and system stability. Organizations relying on MySQL 8.0.34 or earlier versions face potential service disruption that could impact business operations, especially in environments where database availability is paramount. The complete denial of service condition means that legitimate database operations would be suspended until the server is manually restarted or the underlying issue is resolved through patching. The high privilege requirement suggests that this vulnerability is more likely to be exploited by insiders or attackers who have already gained elevated access to the system, making it particularly dangerous in environments with compromised accounts or insider threats.

Security practitioners should prioritize immediate patching of affected MySQL 8.0.34 installations and later versions to remediate this vulnerability. The patching process should include thorough testing in staging environments to ensure compatibility with existing database applications and workflows. Organizations should also implement network segmentation and access controls to limit the attack surface and reduce the likelihood of privilege escalation. Monitoring for unusual query patterns or system behavior that might indicate exploitation attempts should be implemented alongside traditional intrusion detection systems. The vulnerability aligns with CWE-400, which addresses improper resource management, and maps to ATT&CK technique T1499.004 for network denial of service attacks, highlighting the importance of both preventive and detective security measures.

Additional mitigations include implementing database firewalls or query filtering mechanisms to detect and block potentially malicious query patterns, establishing robust backup and recovery procedures to minimize downtime impact, and conducting regular security assessments of database environments to identify and remediate similar vulnerabilities. Organizations should also consider implementing database activity monitoring solutions that can detect anomalous behavior patterns associated with denial of service attacks and provide real-time alerts to security operations teams for rapid response and incident containment.

Responsible

Oracle

Reservation

12/17/2022

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00884

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!