CVE-2023-31612

Vulnerability

An issue in the dfe_qexp_list component of OpenLink Virtuoso Open Source v7.2.9 allows a denial of service (DoS) via a specially crafted SQL statement. The crash occurs during query compilation when processing a UNION ALL query with nested IFNULL, MIN, and MAX functions. The affected version is specifically 7.2.9 [1].

Exploitation

An attacker with the ability to execute SQL queries on a vulnerable Virtuoso server (e.g., via isql with DBA credentials) can trigger the crash by executing the following PoC [1]:

CREATE TABLE t1 (x VARCHAR, y VARCHAR);
SELECT IFNULL(MIN(x), -1), IFNULL(MAX(x), -1)
FROM (
  SELECT x FROM t1 UNION ALL
  SELECT NULL
) AS temp;

The query causes a segmentation fault in dfe_qexp_list, leading to server termination. No user interaction beyond SQL execution is required.

Impact

Successful exploitation results in a denial of service by crashing the Virtuoso server process. The crash occurs during query compilation, making the service unavailable until restarted. No data is compromised, but availability is severely affected.

Mitigation

As of the latest available reference, no official patch has been released for this vulnerability. Users should restrict network access to the Virtuoso server and monitor the vendor's issue tracker [1] for updates. If possible, consider upgrading to a newer version if a fix becomes available. Until then, avoid executing untrusted SQL statements.