OpenLink Virtuoso SQL Expression Component Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the SQL expression component of OpenLink Virtuoso Open Source version 7.2.11. This issue allows attackers to cause a crash by sending specially crafted SQL statements. The vulnerability can be reproduced using a proof-of-concept that exploits the SQL parser, leading to a stack smashing condition.

Impact

Exploitation of this vulnerability causes the Virtuoso server to crash, disrupting any active database operations or services dependent on the Virtuoso instance.

Reproduction

The vulnerability can be reproduced by first creating a Docker container running OpenLink Virtuoso version 7.2.11. After the server is started, a simple SQL query can be executed to verify that the database is responsive. Once confirmed, the crafted SQL payload that triggers the denial-of-service condition can be executed, causing the server to crash.