CVE-2022-21490: 
MySQL Cluster vulnerability analysis and mitigation

CVE-2022-21490 is a vulnerability affecting Oracle MySQL Cluster Data Node that was disclosed in April 2022. The vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle MySQL Cluster. Authentication is not required to exploit this vulnerability. The issue exists within the processing of Data Node jobs and results from improper validation of user-supplied data, which can lead to a write past the end of an array (ZDI Advisory).

The vulnerability has a CVSS v3.1 base score of 6.3 (Medium) with the following vector: AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H. The specific flaw exists within the processing of Data Node jobs and stems from lack of proper validation of user-supplied data. This can result in a write past the end of an array, potentially allowing attackers to execute code in the context of the service account (ZDI Advisory, NetApp Advisory).

Successful exploitation of this vulnerability could allow attackers to execute arbitrary code in the context of the service account. The vulnerability affects the confidentiality, integrity, and availability of the system with high severity ratings for each aspect (ZDI Advisory).

Oracle has released security patches to address this vulnerability as part of the April 2022 Critical Patch Update. Users are strongly recommended to apply these security patches as soon as possible (Oracle CPU).