MonetDB Server Denial-of-Service Vulnerability in exp_atom Component

A denial-of-service vulnerability has been identified in the exp_atom component of MonetDB Server version 11.49.1. This issue allows attackers to cause the server to crash by sending specially crafted SQL statements. The vulnerability can be reproduced in a Docker environment using the official MonetDB Docker image for the December 2023 release.

Impact

Exploitation of this vulnerability leads to a crash of the MonetDB server process, causing a denial-of-service condition where the database server becomes unresponsive and unavailable for handling requests.

Reproduction

The vulnerability can be reproduced by creating a SQL file with a specific crafted SQL update statement that triggers the crash. This file can then be executed using the MonetDB command-line client, mclient, within a Docker container running the affected MonetDB version. The server crash can be verified by checking the absence of the running MonetDB server process after the crafted SQL is executed.

Remediation

Users can update to the latest version of MonetDB where this issue has been fixed. Instructions for updating can be found in the MonetDB documentation.