CVE-2021-44501

Vulnerability

A NULL pointer dereference vulnerability exists in FIS GT.M through V7.0-000, which is related to the YottaDB code base. An attacker can cause calls to ZRead to crash by supplying crafted input, as reported in [1][2]. The issue was discovered during fuzz testing of YottaDB. The vulnerable code path is triggered specifically via the ZRead command with maliciously crafted input [2].

Exploitation

An attacker needs the ability to provide crafted input to a GT.M or YottaDB process that invokes ZRead. No special authentication or network position is discussed in the references; local access to submit crafted input suffices. The exact steps involve sending specially crafted data that, when processed by ZRead, leads to a NULL pointer dereference [2].

Impact

Successful exploitation causes a crash (denial of service) of the database process due to the NULL pointer dereference. No remote code execution or data corruption is indicated in the available sources [1][2].

Mitigation

The issue is fixed in the YottaDB r1.34 release (see GitLab issue #828) [2]. For GT.M, users should update to a version after V7.0-000 that includes the fix, or apply the patch from the YottaDB project if applicable. No other workarounds are documented in the provided references [1][2].