CVE-2021-44499

Vulnerability

An issue in FIS GT.M through version V7.0-000 (and the related YottaDB code base) allows a signed integer holding the size of a buffer to become a large negative number when processing crafted input to the $Extract function. This negative value is subsequently used as the length argument in a memcpy call occurring on the stack, resulting in a buffer overflow. The vulnerability is present in the code handling $Extract in the affected versions.

Exploitation

An attacker can exploit this vulnerability by providing specially crafted input that triggers the signed integer wrap in the size calculation. No authentication is required if the attacker can supply input to the database engine (e.g., through a query or command). The attack does not require any special privileges beyond the ability to invoke the $Extract function with malicious arguments.

Impact

Successful exploitation leads to a stack-based buffer overflow, which can corrupt adjacent memory. This can result in a denial of service (crash) or potentially allow arbitrary code execution under the privileges of the database process. The exact impact depends on the memory layout and exploitation technique, but the overflow occurs on the stack, making control-flow hijacking possible.

Mitigation

The vulnerability is fixed in the YottaDB r1.34 release, which addresses 40 bugs exposed by fuzz testing [2]. For GT.M, users should upgrade to a version beyond V7.0-000, or apply the equivalent patches from the YottaDB repository. No workaround has been publicly documented for unpatched versions. If upgrading is not possible, restricting input sources to trusted users only can reduce the attack surface.