CVE-2024-57635

Vulnerability

An issue in the chash_array component of OpenLink Virtuoso Open-Source v7.2.11 allows denial of service via crafted SQL statements. The crash occurs during execution of a complex SQL query involving GROUP BY, views, and subqueries. The Proof of Concept (PoC) uses a CREATE TABLE, CREATE VIEW, INSERT, and a SELECT with complex operations that triggers the crash at chash_array+0x834. The affected version is 7.2.11, and the issue is also reported as reproducible in the latest branch [1].

Exploitation

An attacker with SQL query execution privileges can send the crafted SQL statements to the database server. The provided PoC demonstrates the steps: create table v0, create view v3, insert a row, then execute a SELECT with GROUP BY, IN, NOT IN, subquery, ORDER BY, and arithmetic operations. The crash occurs without requiring authentication beyond the ability to execute SQL (e.g., as dba). No user interaction is required beyond submitting the query [1].

Impact

Successful exploitation leads to a denial of service (DoS) by crashing the Virtuoso database server. The crash is confirmed by the backtrace showing a segfault in chash_array. The server becomes unavailable until restarted, affecting availability [1].

Mitigation

As of the publication date, no fix has been released. The issue is reported on the project's GitHub issues page [1]. Users should monitor for updates or restrict access to the database to trusted users only. No workaround is provided [1].