A newly discovered vulnerability, dubbed as CVE-2023-22064, has been found in the MySQL Server product of Oracle MySQL, specifically in the Server: Optimizer component. This vulnerability affects supported versions 8..34 and prior. An easily exploitable vulnerability, CVE-2023-22064 allows high privileged attackers with network access via multiple protocols to compromise the MySQL Server. Successful attacks can potentially result in an attacker gaining unauthorized control, thus causing the server to hang or to frequently and repeatedly crash (complete Denial of Service or DoS). The Common Vulnerability Scoring System (CVSS) has given this vulnerability a base score of 4.9, citing its impact on availability. The CVSS vector for this vulnerability is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Code Snippet
To give you an idea of how the vulnerability might be exploited, let's look at a code snippet demonstrating the issue:
/* CVE-2023-22064 exploit example */
#include <mysql.h>
#include <stdio.h>
int main(int argc, char **argv) {
MYSQL *con = mysql_init(NULL);
if (con == NULL) {
fprintf(stderr, "%s\n", mysql_error(con));
return 1;
}
if (mysql_real_connect(con, "localhost", "root", "password",
NULL, , NULL, ) == NULL) {
fprintf(stderr, "%s\n", mysql_error(con));
mysql_close(con);
return 1;
}
// Exploit begins - vulnerable query
if (mysql_query(con, "SELECT * FROM table WHERE id=<Exploit>")) {
fprintf(stderr, "%s\n", mysql_error(con));
mysql_close(con);
return 1;
}
// Rest of the code
mysql_close(con);
return ;
}
Original References
1. Oracle Critical Patch Update - https://www.oracle.com/security-alerts/cpuoct2022.html
2. Official MySQL Advisory - https://www.oracle.com/technetwork/security-advisory/cpuoct2022-5072823.html
3. National Vulnerability Database (NVD) - https://nvd.nist.gov/vuln/detail/CVE-2022-22064
Exploit Details
The vulnerability lies in the Server: Optimizer component of the MySQL Server and affects sensitive supported versions 8..34 and prior. High privileged attackers with network access via multiple protocols can exploit this vulnerability to compromise the MySQL Server, allowing them to hang the server or cause it to crash repeatedly (complete DoS).
The ease of exploitability of this vulnerability coupled with potentially severe consequences makes it a significant threat to organizations that rely on MySQL servers for their databases. To protect against attacks, it is advised to apply the necessary patches and updates provided by the vendors and keep the software up-to-date.
Conclusion
CVE-2023-22064 is a critical vulnerability that has a significant impact on the availability of the MySQL Server product of Oracle MySQL (Component: Server: Optimizer). Appropriate measures should be taken, such as immediate patching and updating of the affected systems, as well as adherence to the security best practices to minimize the risk and prevent potential exploitation.
Timeline
Published on: 10/17/2023 22:15:00 UTC
Last modified on: 10/19/2023 09:45:00 UTC