CVE-2024-21201: 
MySQL vulnerability analysis and mitigation

A vulnerability (CVE-2024-21201) was discovered in Oracle MySQL Server's Optimizer component. The affected versions include MySQL Server 8.0.39 and prior, 8.4.2 and prior, and 9.0.1 and prior. This vulnerability allows high-privileged attackers with network access to compromise MySQL Server through multiple protocols (Oracle CPU Oct 2024).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.9 (Medium severity). The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, high privileges required, no user interaction needed, unchanged scope, and high impact on availability (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DoS) of MySQL Server (Oracle CPU Oct 2024).

Oracle has released patches to address this vulnerability in the October 2024 Critical Patch Update. Users are advised to update to MySQL version 8.0.40 or later. Ubuntu has also released fixed versions: 8.0.40-0ubuntu0.24.10.1, 8.0.40-0ubuntu0.24.04.1, 8.0.40-0ubuntu0.22.04.1, and 8.0.40-0ubuntu0.20.04.1 (Ubuntu Security).

The vulnerability was reported by multiple security researchers including HoraceYang of Tencent Security YUNDING LAB, Xiaodong Qi of Shui Mu Yu Lin, and Yuanyi Li of Shui Mu Yu Lin (Oracle CPU Oct 2024).