CVE-2024-57639

Vulnerability

A denial of service vulnerability exists in OpenLink Virtuoso Open-Source v7.2.11, triggered by a crafted SQL statement. The issue is in the dc_elt_size function, as shown by the crash backtrace. The attacker can use a SQL query involving a LEFT JOIN, GROUP BY, and the COALESCE function on a table with a CHECK constraint using COALESCE. The specific proof-of-concept (PoC) provided in the advisory [1] demonstrates the crash, and it is reproducible on the latest branch.

Exploitation

To exploit, an attacker must have the ability to execute SQL queries against the Virtuoso database. The attacker crafts a specific sequence of SQL statements: first create a table with a CHECK constraint using COALESCE and a UNIQUE column, then insert a row, and finally run a SELECT with a LEFT JOIN and GROUP BY using COALESCE. This sequence causes the server to crash during query execution, as shown by the backtrace in the advisory [1]. The attacker does not need authentication if the server exposes an unauthenticated SQL interface; in many deployments, administrative access (dba) may be required as shown in the PoC's isql invocation.

Impact

Successful exploitation of this vulnerability leads to a denial of service (DoS). The Virtuoso server process crashes, making the database unavailable until restarted. There is no indication of data corruption or unauthorized access, but repeated crashes can disrupt service availability. The crash is confirmed in the official Docker image openlink/virtuoso-opensource-7:7.2.11.

Mitigation

As of the available references, no official patch has been released. The issue was reported and the advisory [1] notes it can be reproduced in the latest branch, meaning no fix is currently available. Users should monitor the project for updates or consider restricting SQL execution privileges to trusted users only. The vulnerable version is v7.2.11; upgrading to a future patched version is the recommended remediation once available.