CVE-2024-57662

Vulnerability

The vulnerability resides in the sqlg_hash_source component of OpenLink Virtuoso Open-Source version 7.2.11. A specially crafted SQL statement, as demonstrated by the provided PoC, triggers a crash due to an issue in how the query engine processes complex nested queries with recursive table references and arithmetic operations. The crash occurs during SQL compilation and optimization, specifically within the sqlg_hash_source function, as shown by the backtrace [1].

Exploitation

An attacker with the ability to execute arbitrary SQL statements against a Virtuoso 7.2.11 database can cause a denial of service. No special authentication or network position is required beyond standard SQL access. The attacker submits a crafted CREATE TABLE statement (or similar DDL/DML) that contains deeply nested subqueries and complex expressions, as reproduced by the PoC. The fuzzer-created statement triggers an infinite loop or crash in sqlg_hash_source, leading to a server crash or hang [1].

Impact

Successful exploitation results in a denial of service (DoS). The attacker can crash the Virtuoso server process, making the database unavailable to legitimate users. No data integrity or confidentiality is directly compromised, but the availability impact can be significant in production environments. The exact privilege level achieved is that of the database server process, without privilege escalation [1].

Mitigation

As of the publication date (2025-01-14), no fixed version has been released. The issue is tracked in the project's issue tracker [1]. Users are advised to monitor the project for updates and apply patches when available. A workaround may include restricting SQL execution for untrusted users, but no specific mitigation is provided in the available references. The beta Docker image is also affected [1].