CVE-2022-21330: 
MySQL vulnerability analysis and mitigation

CVE-2022-21330 is a vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). The vulnerability affects versions 7.5.24 and prior, 7.6.20 and prior, and 8.0.27 and prior. This is a difficult to exploit vulnerability that allows high privileged attackers with access to the physical communication segment attached to the hardware where MySQL Cluster executes to compromise the system. The vulnerability was disclosed in January 2022 with a CVSS 3.1 Base Score of 6.3 (Medium) (Oracle Advisory).

The specific vulnerability exists within the processing of Data Node jobs. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an array. The vulnerability has a CVSS Vector of CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H, indicating adjacent network attack vector, high attack complexity, high privileges required, and user interaction required (ZDI Advisory).

Successful exploitation of this vulnerability can result in complete takeover of MySQL Cluster. The vulnerability affects all three major security aspects with high impact on Confidentiality, Integrity, and Availability (Oracle Advisory, ZDI Advisory).

Oracle has issued an update to correct this vulnerability through their January 2022 Critical Patch Update. Users should upgrade to the latest supported versions that include the security fix (Oracle Advisory, NetApp Advisory).