CVE-2023-48945

Vulnerability

A stack buffer overflow exists in the virtuoso-opensource version 7.2.11 when processing specially crafted INSERT and SELECT SQL statements that involve correlated subqueries and aggregates. The vulnerable code path is reachable via the ODBC/JDBC or isql interface without authentication; any user with the ability to execute arbitrary SQL statements can trigger the overflow. The exact internal function is not disclosed in the available references, but the crash manifests as stack smashing detected by the runtime [1].

Exploitation

An attacker needs network access to a running Virtuoso instance (default port 1111 for SQL, 8890 for HTTP/WebDAV) and valid credentials that allow executing SQL statements. The proof of concept from [1] uses the isql command-line tool with the DBA user. The sequence is: create a table with a DECIMAL column, insert a row, and then execute a crafted INSERT statement containing a CASE expression inside a correlated subquery with a GROUP BY clause, followed by a recursive UPDATE. The stack smashing occurs during the execution of these statements.

Impact

Successful exploitation causes a denial of service (DoS) by corrupting the call stack and terminating the server process. The crash prevents legitimate database access until the service is manually restarted. No evidence of code execution or data corruption beyond the crash has been reported in the available references.

Mitigation

As of the publication date (29 November 2023), no fixed version or official patch had been released by OpenLink Software. Users are advised to restrict SQL execution privileges to trusted users and monitor for unusual SQL statements. If the issue is a priority, consider applying network-level filtering or running Virtuoso in a container that automatically restarts on failure. The product version 7.2.11 is affected; newer versions may address the issue [1].