A vulnerability has been discovered in the MySQL Server product of Oracle MySQL, specifically in the Server: DML component. The vulnerability, designated as CVE-2023-21836, impacts supported versions 8..31 and earlier. This easily exploitable vulnerability allows high privileged attackers with network access through multiple protocols to compromise the MySQL Server. Successful exploitation of this vulnerability could result in the unauthorized capability to cause a hang or frequently repeatable crash (complete DOS) of the MySQL Server. The vulnerability has a CVSS 3.1 Base Score of 4.9, represented as: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Code Snippet

The vulnerability lies within the Server: DML component in the affected MySQL Server versions. To exploit this vulnerability, an attacker with network access can send maliciously crafted data packets through multiple protocols to the MySQL Server, potentially causing a full crash. While specific code snippets or a proof-of-concept for the exploit are not provided for the security of the users, the general idea of the attack involves sending malformed data packets.

References

For more information on this vulnerability and the impacted MySQL Server versions, please consult the Oracle Critical Patch Update Advisory for October 2023:
- Oracle Critical Patch Update Advisory - October 2023

For more details on the Common Vulnerability Scoring System (CVSS) utilized to score this vulnerability, you can refer to the following resource:
- CVSS 3.1 Specification

Exploit Details

This vulnerability is easily exploitable and allows an attacker with a high level of privilege, as well as network access through multiple protocols, to compromise the affected MySQL Server. A successful attack can result in an unauthorized ability to cause a hang or a frequently repeatable crash, which constitutes a complete Denial of Service (DOS) on the MySQL Server.

This vulnerability has the following CVSS Vector

- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Mitigation

Users of affected MySQL Server versions are strongly encouraged to update to the latest version (MySQL Server 8..32 or later) and apply the relevant security patches provided by Oracle MySQL. Regularly updating software and applying security patches from trusted sources will help mitigate the risk of exploitation from similar vulnerabilities in the future.

Conclusion

CVE-2023-21836 presents a significant risk to MySQL Server users, as it allows high privileged attackers to crash the server, denying legitimate users access and functionality. Vulnerabilities like this emphasize the importance of regularly updating software and staying up-to-date with security patches from trusted vendors. By staying informed and proactive in applying updates, users can maintain a more secure environment and minimize the risks posed by such vulnerabilities.

Timeline

Published on: 01/18/2023 00:15:00 UTC
Last modified on: 01/24/2023 19:28:00 UTC