CVE-2024-57664

Vulnerability

The vulnerability resides in the sqlg_group_node component of OpenLink Virtuoso Open Source v7.2.11. A crafted SQL statement that triggers a crash in this component can be executed. The official description [1] indicates that the issue allows attackers to cause a Denial of Service (DoS). The provided proof-of-concept uses a SELECT query with an ORDER BY count(*) clause on a table with character columns [1]. The crash is confirmed via a backtrace showing a segfault in sqlg_group_node [1]. Affected versions: Virtuoso 7.2.11 (likely earlier releases as well, but only this version is explicitly mentioned).

Exploitation

An attacker needs the ability to issue arbitrary SQL statements to the Virtuoso database server. No additional privileges beyond query execution are required, as the PoC uses a simple SELECT statement [1]. The attacker can deliver the crafted SQL via any client interface (e.g., isql). The sequence of steps is: create a table with suitable column types, then execute the malformed SELECT query that includes ORDER BY count(*) on a query that also uses a column alias in the SELECT list [1]. The server crashes immediately upon execution, causing a Denial of Service.

Impact

Successful exploitation results in a Denial of Service (DoS): the Virtuoso server process crashes, leading to a temporary loss of database availability. The crash is caused by a null-pointer dereference or similar fault in sqlg_group_node [1]. The attacker gains no data access or further control; the impact is limited to service disruption.

Mitigation

As of the publication date (2025-01-14), no official fix or patch has been released by OpenLink for this vulnerability [1]. The issue is tracked in the project's issue tracker [1]. Users are advised to monitor the repository for updates and apply any future patch. Until a fix is available, avoiding the execution of untrusted SQL statements that include ORDER BY count(*) with certain column aliases may reduce exposure, but this is not a comprehensive workaround.