CVE-2022-31622
First published: Wed May 25 2022(Updated: )
MariaDB Server before 10.7 is vulnerable to Denial of Service. In extra/mariabackup/ds_compress.cc, when an error occurs (pthread_create returns a nonzero value) while executing the method create_worker_threads, the held lock is not released correctly, which allows local users to trigger a denial of service due to the deadlock.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mariadb Mariadb | <10.2.42 | |
| Mariadb Mariadb | >=10.3.0<10.3.33 | |
| Mariadb Mariadb | >=10.4.0<10.4.23 | |
| Mariadb Mariadb | >=10.5.0<10.5.14 | |
| Mariadb Mariadb | >=10.6.0<10.6.6 | |
| Mariadb Mariadb | >=10.7.0<10.7.2 | |
| redhat/mariadb | <10.7.2 | 10.7.2 |
| redhat/mariadb | <10.6.6 | 10.6.6 |
| redhat/mariadb | <10.5.14 | 10.5.14 |
| redhat/mariadb | <10.4.23 | 10.4.23 |
| redhat/mariadb | <10.3.33 | 10.3.33 |
| redhat/mariadb | <10.2.42 | 10.2.42 |
| <10.2.42 | ||
| >=10.3.0<10.3.33 | ||
| >=10.4.0<10.4.23 | ||
| >=10.5.0<10.5.14 | ||
| >=10.6.0<10.6.6 | ||
| >=10.7.0<10.7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/MariaDB/server/commit/e1eb39a446c30b8459c39fd7f2ee1c55a36e97d2
- https://jira.mariadb.org/browse/MDEV-26561?filter=-2
- https://security.netapp.com/advisory/ntap-20220707-0006/
- https://jira.mariadb.org/browse/MDEV-26561
- https://access.redhat.com/errata/RHSA-2022:5759
- https://access.redhat.com/errata/RHSA-2022:5826
- https://access.redhat.com/errata/RHSA-2022:5948
- https://access.redhat.com/errata/RHSA-2022:6306
- https://access.redhat.com/errata/RHSA-2022:6443
- https://access.redhat.com/security/cve/cve-2022-31622
- https://bugzilla.redhat.com/show_bug.cgi?id=2092354
- https://jira.mariadb.org/browse/MDEV-26574
Frequently Asked Questions
What is the vulnerability ID for this Denial of Service vulnerability in MariaDB Server?
The vulnerability ID for this Denial of Service vulnerability in MariaDB Server is CVE-2022-31622.
How severe is the Denial of Service vulnerability in MariaDB Server (CVE-2022-31622)?
The severity of the Denial of Service vulnerability in MariaDB Server (CVE-2022-31622) is medium with a severity value of 5.5.
Which versions of MariaDB Server are affected by the Denial of Service vulnerability (CVE-2022-31622)?
The versions of MariaDB Server affected by the Denial of Service vulnerability (CVE-2022-31622) are 10.2.42, 10.3.0 to 10.3.33, 10.4.0 to 10.4.23, 10.5.0 to 10.5.14, 10.6.0 to 10.6.6, and 10.7.0 to 10.7.2.
How can local users exploit the Denial of Service vulnerability in MariaDB Server (CVE-2022-31622)?
Local users can exploit the Denial of Service vulnerability in MariaDB Server (CVE-2022-31622) by triggering an error in the create_worker_threads method in extra/mariabackup/ds_compress.cc, which causes the held lock to not be released correctly.
What is the fix for the Denial of Service vulnerability in MariaDB Server (CVE-2022-31622)?
To fix the Denial of Service vulnerability in MariaDB Server (CVE-2022-31622), upgrade to version 10.7.2 or apply the appropriate patch provided by the vendor.
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- agent/severity
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-31622
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- collector/nvd-api
- source/NVD
- vendor/mariadb
- canonical/mariadb mariadb
- version/mariadb mariadb/10.3.0
- version/mariadb mariadb/10.4.0
- version/mariadb mariadb/10.5.0
- version/mariadb mariadb/10.6.0
- version/mariadb mariadb/10.7.0
- package-manager/redhat