CVE-2024-57661

Vulnerability

The issue resides in the sqlo_df component of OpenLink Virtuoso Open-Source version 7.2.11. A crafted SQL statement, such as the provided CREATE TABLE statement with specific CHECK constraints, causes a crash in sqlo_df. The crash occurs during table constraint definition processing, as shown by the backtrace. [1]

Exploitation

An attacker with the ability to execute SQL statements on the server can trigger the denial of service by running the provided CREATE TABLE statement (or similar crafted statements). The PoC reproduces the crash via isql against a Docker container running Virtuoso 7.2.11. No authentication is required if the attacker can directly submit SQL; however, in typical deployments, the attacker would need a valid database session or user account capable of DDL operations. [1]

Impact

Successful exploitation causes a denial of service (DoS) by crashing the sqlo_df function and potentially the entire server process. This disrupts database availability. The crash is evident from the backtrace showing a segmentation fault or similar error. [1]

Mitigation

As of the publication date (2025-01-14), no patch has been released. Users are advised to monitor the vendor's repository for updates. A workaround is to restrict SQL DDL execution privileges to trusted users only. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. [1]