CVE-2022-21316: 
MySQL vulnerability analysis and mitigation

A vulnerability was identified in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). The affected versions include MySQL Cluster 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, and 8.0.27 and prior. This vulnerability was assigned CVE-2022-21316 with a CVSS 3.1 Base Score of 6.3 (Medium) (Oracle CPE).

The vulnerability is characterized by its CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H, indicating local access, high attack complexity, high privileges required, and user interaction needed. The specific flaw exists within the processing of Data Node jobs, resulting from the lack of proper validation of user-supplied data, which can result in a write past the end of an array (ZDI Advisory).

Successful exploitation of this vulnerability can result in a complete takeover of MySQL Cluster. The impact affects all three security aspects - confidentiality, integrity, and availability - with high severity (Oracle CPE, ZDI Advisory).

Oracle has issued an update to correct this vulnerability. Users should apply the security patches available through the January 2022 Critical Patch Update (Oracle CPE, ZDI Advisory).

The vulnerability was discovered and reported by Lucas Leong (@wmliang) of Trend Micro Zero Day Initiative. The disclosure timeline indicates the vulnerability was reported to the vendor on July 23, 2021, with a coordinated public release on January 21, 2022 (ZDI Advisory).