CVE-2021-44493

Vulnerability

In YottaDB through r1.32 and FIS GT.M through V7.0-000, the $Extract function mishandles crafted input that causes an signed integer holding a buffer size to take on a large negative value. This value is subsequently used as the length argument to a memcpy call on the stack, resulting in a buffer overflow. The affected versions are YottaDB up to r1.32 and FIS GT.M through V7.0-000 [1].

Exploitation

An attacker can trigger the vulnerability by providing specially crafted input to the $Extract function. No special network position or authentication is mentioned, implying the attack surface could be any context where user-supplied data is processed by the database engine's string function. The erroneous signed integer interpretation allows the attacker to control the length of the subsequent stack-based memcpy, leading to memory corruption beyond the intended buffer [2].

Impact

Successful exploitation results in a stack buffer overflow, which can lead to arbitrary code execution, denial of service, or information disclosure depending on the attacker's payload and the execution context. The attacker gains the ability to corrupt stack memory, potentially achieving code execution at the privilege level of the database process [2].

Mitigation

The vulnerability was fixed in the YottaDB r1.34 release, which addressed multiple bugs discovered through fuzz testing, including this issue. Users should upgrade to YottaDB r1.34 or later. For FIS GT.M, users are advised to apply any patches provided by the vendor; as of the publication date, a specific fixed version for GT.M was not disclosed in the references [2].