CVE-2024-57638

Vulnerability

An issue exists in the dfe_body_copy component of OpenLink Virtuoso Open-Source version 7.2.11. Processing specially crafted SQL statements, such as those shown in the proof of concept, triggers a crash in dfe_body_copy (backtrace at dfe_body_copy+0x2dd). The vulnerable code path is reachable when querying a view that involves arithmetic operations, subqueries, and comparisons against NULL values. The affected version is 7.2.11, and the issue is also reproducible in the beta Docker image [1].

Exploitation

An attacker with network access to the Virtuoso database server can send the crafted SQL statement to trigger the vulnerability. No authentication is required if the server allows anonymous queries. The provided proof of concept consists of creating a table with a FLOAT UNIQUE column, a view that performs an arithmetic expression involving a subquery, and then selecting from that view with a CASE expression and further conditions. The exact sequence of statements from the reference causes a crash in the dfe_body_copy function [1].

Impact

Successful exploitation causes a Denial of Service (DoS) by crashing the Virtuoso server process. The crash is confirmed via the backtrace showing a segmentation fault or similar fatal error in dfe_body_copy. No data confidentiality or integrity loss is reported; availability is the compromised aspect [1].

Mitigation

As of the publication date, no fix has been released for OpenLink Virtuoso Open-Source version 7.2.11. Administrators should monitor the vendor's issue tracker for updates. If possible, restrict network access to the database server to trusted clients only and consider using a Web Application Firewall (WAF) to filter malicious SQL patterns [1].