CVE-2022-31011 – CVE-2022-31011 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2022-31011?

CVE-2022-31011 has a CVSS score of 7.8 (HIGH). CVE-2022-31011 is an authentication bypass vulnerability in TiDB 5.3.0 that allows attackers to construct malicious authentication requests to gain unauthorized access or escalate privileges. Only TiDB 5.3.0 users are affected, with version 5.3.1 containing the fix. This vulnerability stems from improper authentication handling under specific conditions.

📋 TL;DR

CVE-2022-31011 is an authentication bypass vulnerability in TiDB 5.3.0 that allows attackers to construct malicious authentication requests to gain unauthorized access or escalate privileges. Only TiDB 5.3.0 users are affected, with version 5.3.1 containing the fix. This vulnerability stems from improper authentication handling under specific conditions.

💻 Affected Systems

Products:

TiDB

Versions: 5.3.0 only

Operating Systems: All platforms running TiDB

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects TiDB 5.3.0; earlier and later versions are not vulnerable. Requires TiDB authentication to be enabled.

📦 What is this software?

Tidb by Pingcap

View all CVEs affecting Tidb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation to root/admin access, leading to data theft, data manipulation, or service disruption.

🟠

Likely Case

Unauthorized access to database resources, potential data exfiltration, and privilege escalation within the TiDB environment.

🟢

If Mitigated

Limited to authenticated users only, with reduced attack surface through proper network segmentation and access controls.

🌐 Internet-Facing: HIGH - Internet-facing TiDB instances are directly exploitable by remote attackers without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to TiDB services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires constructing specific malicious authentication requests but does not require prior authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.3.1

Vendor Advisory: https://github.com/pingcap/tidb/security/advisories/GHSA-4whx-7p29-mq22

Restart Required: Yes

Instructions:

1. Backup your TiDB configuration and data. 2. Upgrade TiDB from version 5.3.0 to 5.3.1 using the official release. 3. Restart TiDB services to apply the patch.

🔧 Temporary Workarounds

Disable Security Enhanced Mode (SEM)

all

Turning off SEM may reduce attack surface but reduces security features

UPDATE mysql.global_variables SET variable_value='OFF' WHERE variable_name='tidb_enable_enhanced_security';

Restrict local login permissions

all

Disable local login for non-root accounts to limit attack vectors

REVOKE ALL PRIVILEGES ON *.* FROM 'user'@'localhost';
DELETE FROM mysql.user WHERE User='user' AND Host='localhost';
FLUSH PRIVILEGES;

🧯 If You Can't Patch

Implement strict network access controls to limit TiDB access to trusted IPs only
Enable comprehensive logging and monitoring for authentication attempts and privilege changes

🔍 How to Verify

Check if Vulnerable:

Check TiDB version: SELECT VERSION(); If result shows '5.3.0', system is vulnerable.

Check Version:

SELECT VERSION();

Verify Fix Applied:

After patching, verify version is 5.3.1 or higher: SELECT VERSION();

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Multiple failed login attempts followed by successful login from same IP
Privilege escalation events in audit logs

Network Indicators:

Unusual authentication traffic patterns to TiDB ports
Authentication requests with malformed parameters

SIEM Query:

source="tidb.log" AND ("authentication failed" OR "privilege" OR "root login")

📊 Metadata

CVE ID: CVE-2022-31011

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: May 31, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/pingcap/tidb/releases/tag/v5.3.1 Release Notes,Third Party Advisory
https://github.com/pingcap/tidb/security/advisories/GHSA-4whx-7p29-mq22 Mitigation,Third Party Advisory
https://github.com/pingcap/tidb/releases/tag/v5.3.1 Release Notes,Third Party Advisory
https://github.com/pingcap/tidb/security/advisories/GHSA-4whx-7p29-mq22 Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31011, you might also want to check these: