Today we’ll dive into a critical security vulnerability that every MySQL administrator needs to know about: CVE-2024-21087. This vulnerability was discovered in MySQL Server’s Group Replication Plugin and represents a significant security concern for organizations running high-availability MySQL clusters.

Many enterprises rely on MySQL’s Group Replication feature to build fault-tolerant database clusters, making this vulnerability particularly noteworthy since it affects a core high-availability component.

 

 

1. Understanding CVE-2024-21087: What Exactly Is It?

CVE-2024-21087 is an availability-related vulnerability found in MySQL Server’s Group Replication Plugin component.

Vulnerability Overview

• CVSS 3.1 Score: 4.9 (Medium severity)
• Affected Versions: MySQL 8.0.36 and earlier, MySQL 8.3.0 and earlier
• Vulnerability Type: Denial of Service (DoS) attack
• Discovery Date: April 2024 Oracle Critical Patch Update

The most concerning aspect of this vulnerability is that it’s “easily exploitable.” A high-privileged attacker with network access can cause the MySQL server to hang or crash repeatedly using multiple protocols.

 

 

2. Why Group Replication Plugin Matters

MySQL’s Group Replication Plugin is a high-availability solution introduced as a core feature in MySQL 8.0.

Core Group Replication Features

• Automatic Failover: Automatic primary election when the master server fails
• Synchronous Replication: Simultaneous data replication across all nodes
• Read/Write Distribution: Load balancing in multi-primary mode
• Automatic Membership Management: Automatic detection of node additions/removals

Many organizations use this feature to build 24/7 uninterrupted services, making this vulnerability particularly significant since it targets this critical functionality.

 

 

3. Attack Scenarios and Risk Assessment

Attack Prerequisites

To exploit CVE-2024-21087, the following conditions must be met:

1. High Privileges: Attacker must have elevated privileges on the MySQL server
2. Network Access: Network connectivity to the MySQL server
3. Group Replication Enabled: Target server must have Group Replication Plugin active

Impact Assessment

Successful exploitation can result in:

• Service Disruption: MySQL server shutdown causing complete application service failure
• Repeated Crashes: Server entering an unstable state with continuous restarts
• Cluster Incapacitation: Entire Group Replication cluster becoming non-functional

Fortunately, this vulnerability does not cause data breaches or unauthorized modifications. It only affects availability through DoS-style attacks.

 

 

4. Checking for Vulnerable Versions

Let’s verify if your current MySQL installation is vulnerable.

MySQL Version Check

SELECT VERSION();
-- or
SHOW VARIABLES LIKE 'version';

Group Replication Plugin Status Check

-- Check plugin installation
SELECT PLUGIN_NAME, PLUGIN_STATUS 
FROM INFORMATION_SCHEMA.PLUGINS 
WHERE PLUGIN_NAME = 'group_replication';

-- Check Group Replication activation status
SHOW VARIABLES LIKE 'group_replication%';

Vulnerable Version List

• All MySQL 8.0.36 and earlier versions
• All MySQL 8.3.0 and earlier versions

If you’re running any of these versions with Group Replication Plugin enabled, immediate patching is required.

 

 

5. Oracle’s Official Patch Status

Oracle addressed this vulnerability through the April 2024 Critical Patch Update.

Patched Versions

• MySQL 8.0.37 (Released April 30, 2024)
• MySQL 8.4.0 LTS (Released April 30, 2024)

Key Patch Improvements

According to the MySQL 8.0.37 Release Notes, several Group Replication security enhancements were included:

• Group Replication Plugin stability improvements
• Enhanced membership management logic
• Strengthened network communication security

 

 

6. Step-by-Step Patch Application Guide

6-1. Pre-Upgrade Preparation

Database Backup

# Full database backup
mysqldump -u root -p --all-databases > mysql_backup_$(date +%Y%m%d).sql

# Configuration file backup
cp /etc/mysql/my.cnf /etc/mysql/my.cnf.backup.$(date +%Y%m%d)

Current Group Replication Status Check

-- Check cluster members
SELECT * FROM performance_schema.replication_group_members;

-- Check replication status
SHOW REPLICA STATUS\G

6-2. MySQL 8.0.37 Upgrade Methods

Ubuntu/Debian Environment

# Update MySQL APT Repository
sudo apt update

# Upgrade MySQL server
sudo apt upgrade mysql-server

# Verify version
mysql --version

CentOS/RHEL Environment

# Update MySQL Yum Repository
sudo yum update mysql-community-server

# Or using DNF (RHEL 8+)
sudo dnf update mysql-community-server

Manual Installation

# Download MySQL 8.0.37
wget https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-8.0.37-linux-glibc2.28-x86_64.tar.xz

# Extract and install
tar -xvf mysql-8.0.37-linux-glibc2.28-x86_64.tar.xz
sudo cp -r mysql-8.0.37-linux-glibc2.28-x86_64/* /usr/local/mysql/

6-3. Group Replication Cluster Upgrade Sequence

In Group Replication environments, sequential upgrades are crucial:

1. Upgrade Secondary nodes first
2. Upgrade Primary node last
3. Maintain sufficient time intervals between each node

-- Identify Primary node
SELECT MEMBER_HOST, MEMBER_PORT, MEMBER_ROLE 
FROM performance_schema.replication_group_members 
WHERE MEMBER_ROLE = 'PRIMARY';

-- Stop Group Replication on Secondary node
STOP GROUP_REPLICATION;

-- Restart Group Replication after upgrade
START GROUP_REPLICATION;

 

 

7. Post-Patch Verification Methods

7-1. Version Verification

-- Confirm MySQL version is 8.0.37 or higher
SELECT VERSION();

-- Check Group Replication Plugin version
SELECT PLUGIN_NAME, PLUGIN_VERSION, PLUGIN_STATUS 
FROM INFORMATION_SCHEMA.PLUGINS 
WHERE PLUGIN_NAME = 'group_replication';

7-2. Cluster Status Validation

-- Verify all members are ONLINE
SELECT MEMBER_HOST, MEMBER_PORT, MEMBER_STATE, MEMBER_ROLE 
FROM performance_schema.replication_group_members;

-- Check replication lag
SELECT * FROM performance_schema.replication_group_member_stats;

7-3. Security Testing

Use Oracle’s MySQL Enterprise Security tools or security scanning tools to verify vulnerability resolution.

 

 

8. Temporary Mitigation (Pre-Patch)

For environments where immediate patching isn’t possible, consider these temporary mitigation measures:

8-1. Network Access Restrictions

# Restrict MySQL port access via firewall
sudo ufw allow from 192.168.1.0/24 to any port 3306
sudo ufw deny 3306

# Also restrict Group Replication port (default 33061)
sudo ufw allow from 192.168.1.0/24 to any port 33061
sudo ufw deny 33061

8-2. Enhanced Privilege Management

-- Remove unnecessary high-privilege users
SELECT User, Host FROM mysql.user WHERE Super_priv = 'Y';

-- Minimize Group Replication related privileges
REVOKE ALL PRIVILEGES ON *.* FROM 'unnecessary_user'@'%';

8-3. Enhanced Monitoring

-- Monitor suspicious connections
SELECT * FROM performance_schema.events_statements_history 
WHERE SQL_TEXT LIKE '%GROUP_REPLICATION%';

 

 

9. Cloud Environment Response Strategies

9-1. Amazon RDS for MySQL

AWS has fixed this CVE in Aurora MySQL versions 3.07.0, 3.06.0, 3.05.2, and others.

9-2. Google Cloud SQL

Google Cloud SQL for MySQL automatically applies security patches, but manual major version upgrades may be required.

9-3. Azure Database for MySQL

Microsoft Azure supports MySQL 8.0.37 in Flexible Server and provides automatic patch updates.