CVE-2022-21336: 
MySQL vulnerability analysis and mitigation

CVE-2022-21336 is a vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). The vulnerability affects versions 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, and 8.0.27 and prior. It is classified as a difficult-to-exploit vulnerability that allows high-privileged attackers with access to the physical communication segment attached to the hardware where MySQL Cluster executes to compromise the system. The vulnerability has a CVSS 3.1 Base Score of 6.3 (Medium) with vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H) (Oracle Advisory).

The specific flaw exists within the processing of Data Node jobs. The vulnerability stems from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. Successful exploitation requires human interaction from a person other than the attacker and access to the physical communication segment where MySQL Cluster executes (ZDI Advisory).

Successful exploitation of this vulnerability can result in complete takeover of MySQL Cluster, potentially leading to unauthorized access with high impacts on confidentiality, integrity, and availability. The vulnerability allows attackers to execute arbitrary code in the context of the service account (ZDI Advisory, NetApp Advisory).

Oracle has released security patches to address this vulnerability in their January 2022 Critical Patch Update. Users are strongly recommended to update to the latest version of MySQL Cluster. For systems that cannot be immediately updated, limiting physical access to the communication segment and restricting high-privilege account access can help reduce the risk (Oracle Advisory).