MonetDB Server Denial-of-Service Vulnerability in mat_join2 Component

A denial-of-service vulnerability has been identified in MonetDB Server version 11.49.1. The issue arises in the mat_join2 component, where attackers can cause the server to crash by using specially crafted SQL statements. This vulnerability can be reproduced in a Docker environment using the official MonetDB image for December 2023.

Impact

Exploitation of this vulnerability leads to a crash of the MonetDB server process, causing a denial-of-service condition where the database server is no longer available to handle requests.

Reproduction

The vulnerability can be reproduced by creating a table and inserting data into it, then executing a SQL query that triggers the issue in the mat_join2 component. This can be done manually or by using a script that automates the process. The crash can be verified by checking for the absence of the MonetDB server process after the vulnerable SQL query is executed.

Remediation

Users can update to the latest version of MonetDB Server, where this vulnerability has been fixed.