CVE-2021-35594: 
MySQL Cluster vulnerability analysis and mitigation

A vulnerability was identified in Oracle MySQL Cluster (CVE-2021-35594) affecting versions 7.4.33 and prior, 7.5.23 and prior, 7.6.19 and prior, and 8.0.26 and prior. The vulnerability was disclosed in October 2021 as part of Oracle's Critical Patch Update. This is a difficult to exploit vulnerability that allows high privileged attackers with access to the physical communication segment attached to the hardware where MySQL Cluster executes to potentially compromise the system (Oracle CPU Oct 2021).

The vulnerability stems from improper validation of array index values in the Data Node jobs processing component. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an array. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.3 (Confidentiality, Integrity and Availability impacts) with the following vector: CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory).

Successful exploitation of this vulnerability can result in takeover of MySQL Cluster. An attacker can leverage this vulnerability to execute code in the context of the service account, potentially gaining unauthorized access to critical data or complete control over all MySQL Cluster accessible data (ZDI Advisory).

Oracle has issued an update to correct this vulnerability as part of the October 2021 Critical Patch Update. Users should upgrade to the latest supported versions of MySQL Cluster that include the security fix (ZDI Advisory, NetApp Advisory).