CVE-2024-57637

Vulnerability

A denial-of-service vulnerability exists in OpenLink Virtuoso Open-Source v7.2.11 within the dfe_unit_gb_dependant function. The issue is triggered by a specially crafted SQL statement that includes a subquery with GROUP BY NULL * -128 and other constructs. The crash occurs during query compilation or execution, as evidenced by the backtrace showing repeated calls to dfe_unit_gb_dependant followed by sqlg_make_sort_nodes and other query processing functions. The vulnerability is reproducible in the official Docker image pkleef/virtuoso-opensource-7 [1].

Exploitation

An attacker with the ability to execute arbitrary SQL statements against a Virtuoso instance can trigger the crash. The PoC involves creating a table with a CHECK constraint and then executing a SELECT statement that uses NOT IN, IN, and a CASE WHEN with a subquery containing GROUP BY NULL * -128. The attacker does not require any special privileges beyond SQL execution rights. The exact steps are: create table v0 as defined, then run the provided SELECT query via isql or any SQL client [1].

Impact

Successful exploitation results in a denial of service (DoS). The Virtuoso server process crashes, as indicated by the backtrace showing a segmentation fault or similar fatal error in dfe_unit_gb_dependant. This disrupts database operations and may require manual restart of the service. No data corruption or unauthorized access is reported; the impact is limited to availability [1].

Mitigation

As of the publication date (2025-01-14), no official patch or fix has been released by OpenLink for this vulnerability. The issue remains open in the project's issue tracker [1]. Users are advised to monitor the repository for updates. In the absence of a patch, restricting SQL execution to trusted users and applying network-level access controls may reduce the risk of exploitation. No workaround is provided in the available references.