CVE-2024-57663

Vulnerability

An issue exists in the sqlg_place_dpipes component of OpenLink Virtuoso Open-Source v7.2.11. A crafted SQL statement, specifically a malformed UPDATE query with deeply nested subqueries and complex expressions, triggers a null-pointer dereference during query compilation, causing a crash. The vulnerable code path is reachable when an authenticated user executes a specially constructed SQL statement against the database. The provided proof-of-concept demonstrates the crash via a CREATE TABLE followed by a single UPDATE statement. [1]

Exploitation

An attacker needs only database-level authentication (e.g., the default dba user) and the ability to execute arbitrary SQL statements. The attack vector is local or remote (over the network). The attacker sends the crafted SQL statement via isql or any SQL client, leading to an immediate crash of the database server process. No user interaction beyond executing the malicious query is required. [1]

Impact

Successful exploitation causes a denial of service (DoS). The database server crashes, terminating all active connections and requiring a restart to restore service. The crash results from a null-pointer dereference in the query compiler. No evidence of code execution, privilege escalation, or data corruption is provided in the available references. [1]

Mitigation

As of the publication date (2025-01-14), no official patch has been released for CVE-2024-57663. The vendor (OpenLink) has been notified via the GitHub issue tracker but has not yet addressed the vulnerability. The affected version is Virtuoso Open-Source 7.2.11. Users should monitor the vendor for a fix. As a mitigation, restrict database access to trusted users only and avoid exposing the database to untrusted networks. If possible, apply input validation or a Web Application Firewall (WAF) to detect and block malformed queries. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]