CVE-2024-21163
📋 TL;DR
This vulnerability in MySQL Server's optimizer component allows high-privileged attackers with network access to cause denial of service (server hangs or crashes) or modify some data. It affects MySQL Server versions 8.0.37 and earlier, and 8.4.0 and earlier. Attackers need administrative database privileges to exploit this vulnerability.
💻 Affected Systems
- Oracle MySQL Server
📦 What is this software?
Mysql by Oracle
Mysql by Oracle
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service causing MySQL Server to hang or crash repeatedly, combined with unauthorized data modification in accessible tables.
Likely Case
Targeted attacks by malicious insiders or compromised admin accounts causing service disruption and limited data manipulation.
If Mitigated
Minimal impact if proper access controls and network segmentation are implemented, limiting high-privileged network access.
🎯 Exploit Status
Oracle describes this as 'easily exploitable' but requires high privileged attacker credentials. No public exploit code identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MySQL 8.0.38 and 8.4.1 or later
Vendor Advisory: https://www.oracle.com/security-alerts/cpujul2024.html
Restart Required: Yes
Instructions:
1. Download MySQL 8.0.38 or 8.4.1 from Oracle website. 2. Backup databases and configuration. 3. Stop MySQL service. 4. Install updated version. 5. Restart MySQL service. 6. Verify functionality.
🔧 Temporary Workarounds
Restrict Network Access
allLimit MySQL network access to only trusted hosts and applications
# In my.cnf/my.ini set bind-address to specific IP
bind-address = 192.168.1.100
# Use firewall rules to restrict access
iptables -A INPUT -p tcp --dport 3306 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
Principle of Least Privilege
allMinimize accounts with high privileges and implement role-based access control
# Review and reduce admin privileges
REVOKE ALL PRIVILEGES ON *.* FROM 'admin_user'@'%';
# Create specific roles with minimal required permissions
CREATE ROLE app_readonly;
GRANT SELECT ON database.* TO app_readonly;
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit MySQL access to only necessary hosts
- Enforce strong authentication and regularly audit admin account usage and privileges
🔍 How to Verify
Check if Vulnerable:
Check MySQL version: mysql --version or SELECT VERSION(); and compare against affected versions (8.0.37 and earlier, 8.4.0 and earlier)Check Version:
mysql --version OR mysql -e "SELECT VERSION();"Verify Fix Applied:
Verify MySQL version is 8.0.38 or later, or 8.4.1 or later. Test optimizer functionality with complex queries.📡 Detection & Monitoring
Log Indicators:
- Multiple optimizer-related errors or warnings in MySQL error log
- Unexpected server crashes or hangs
- Unusual optimizer query patterns from admin accounts
Network Indicators:
- Multiple failed optimizer-related queries from single source
- Unusual network patterns to MySQL port 3306 from admin accounts
SIEM Query:
source="mysql.log" ("optimizer" AND ("error" OR "warning" OR "crash")) | stats count by src_ip, user