CVE-2024-57640

Vulnerability

The vulnerability resides in the dc_add_int component of OpenLink Virtuoso Open-Source version 7.2.11. A specially crafted SQL statement, such as an UPDATE with nested subqueries, causes a crash in dc_add_int as shown in the backtrace [1]. The issue is reproducible in the latest development branch as well.

Exploitation

An attacker with network access to the Virtuoso database server can send the malicious SQL statement via an authenticated session (e.g., using isql). The PoC provided in the reference uses a simple CREATE TABLE followed by an UPDATE with a subquery that triggers the crash [1]. No special privileges beyond the ability to execute SQL statements are required.

Impact

Successful exploitation results in a denial of service (DoS) by crashing the Virtuoso server process. The crash occurs in the dc_add_int function, leading to termination of the database service until manually restarted. No data corruption or unauthorized access is reported.

Mitigation

As of the publication date (2025-01-14), no official patch has been released. The issue is confirmed in version 7.2.11 and the latest branch [1]. Users should monitor the vendor's repository for updates. A workaround may involve restricting SQL execution privileges or using a firewall to limit network access to the database server.