CVE-2024-20985: 
MySQL vulnerability analysis and mitigation

CVE-2024-20985 is a vulnerability in the MySQL Server product of Oracle MySQL, specifically affecting the Server: UDF (User-Defined Function) component. The vulnerability affects MySQL Server versions 8.0.35 and prior, as well as 8.2.0 and prior. This security flaw was disclosed on January 16, 2024, as part of Oracle's Critical Patch Update (Oracle CPU).

The vulnerability is characterized as easily exploitable and allows low-privileged attackers with network access to compromise MySQL Server through multiple protocols. It has been assigned a CVSS 3.1 Base Score of 6.5 (Medium severity), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The scoring indicates that the vulnerability requires network access and low privileges to exploit, with no user interaction needed (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete Denial of Service (DoS) of MySQL Server. The vulnerability primarily affects the availability of the system, with no direct impact on confidentiality or integrity (Oracle CPU).

Oracle has released patches to address this vulnerability in MySQL version 8.0.36. Organizations using affected versions should upgrade to the patched version. Various vendors have also released fixes for their products incorporating MySQL, such as NetApp providing patches for affected products including OnCommand Insight, OnCommand Workflow Automation, and SnapCenter (NetApp Advisory).