CVE-2024-21102 - A Vulnerability in MySQL Server Thread Pooling leading to Denial of Service (DoS)

Overview: A recent vulnerability has been discovered in the MySQL Server product of Oracle MySQL, specifically in the component for Server: Thread Pooling. The affected versions are 8..36 and prior, as well as 8.3. and prior. This easily exploitable vulnerability allows an attacker with high privileges and network access to compromise the MySQL Server through multiple protocols. Successful exploitation of this vulnerability can result in unauthorized ability to cause the MySQL server to hang or crash repeatedly, effectively leading to a complete Denial of Service (DoS) attack. The CVSS 3.1 Base Score for this vulnerability is 4.9, mainly impacting Availability. The CVSS Vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H.

Code Snippet

The exact code snippet showcasing the vulnerability has not been released to the public to prevent malicious exploitation. Further details can be expected through upcoming security patches and updates from Oracle MySQL.

1. Oracle Critical Patch Update Advisory - October 2024
2. CVE-2024-21102 Detail

Exploit Details

An attacker exploiting this vulnerability must possess high-privilege access to the MySQL Server. The attacker can then initiate network access via multiple protocols, such as MySQL wire protocol or multiple SQL injection vectors, which can result in unauthorized actions against the Server: Thread Pooling component. This will subsequently cause the MySQL Server to hang or crash repeatedly (a complete DoS attack).

Mitigation

Users of Oracle MySQL should keep an eye out for upcoming security patches and updates that will address this vulnerability. To prevent unauthorized access and minimize the risk of an attack, server administrators should:

Keep all software and operating systems up to date.

2. Follow the Principle of Least Privilege by restricting user access and privileges to what is necessary.

Regularly monitor network traffic and server logs for signs of suspicious activity.

In conclusion, CVE-2024-21102 is a serious vulnerability in Oracle MySQL's Server: Thread Pooling component, which can lead to a complete DoS attack on affected servers. Administrators and users should remain vigilant and keep an eye out for security updates and patches that address this issue and follow best practices to mitigate any potential threats.

Timeline

Published on: 04/16/2024 22:15:31 UTC
Last modified on: 06/04/2024 17:37:36 UTC