CVE-2022-21489: 
MySQL vulnerability analysis and mitigation

CVE-2022-21489 is a vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). The vulnerability was disclosed in April 2022 and affects MySQL Cluster versions 7.4.35 and prior, 7.5.25 and prior, 7.6.21 and prior, and 8.0.28 and prior. This is a difficult to exploit vulnerability that allows high privileged attackers with access to the physical communication segment attached to the hardware where MySQL Cluster executes to compromise MySQL Cluster (Oracle CPU).

The specific flaw exists within the processing of Data Node jobs and results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.3 (MEDIUM) with the vector: CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H. Successful exploitation requires human interaction from a person other than the attacker (ZDI Advisory).

Successful exploitation of this vulnerability can result in takeover of MySQL Cluster. An attacker can leverage this vulnerability to execute code in the context of the service account, potentially gaining unauthorized access to critical data or complete access to all MySQL Cluster accessible data (ZDI Advisory).

Oracle has released security patches to address this vulnerability in their April 2022 Critical Patch Update. Users are strongly recommended to update to the latest version of MySQL Cluster. The vulnerability has been fixed in versions after 7.4.35, 7.5.25, 7.6.21, and 8.0.28 (Oracle CPU, NetApp Advisory).