OpenLink Virtuoso-OpenSource Denial-of-Service Vulnerability in Version 7.2.11

A denial-of-service vulnerability has been identified in OpenLink Virtuoso-OpenSource version 7.2.11. The issue arises in the 'box_deserialize_string' component, where attackers can cause a crash by sending crafted SQL statements. This vulnerability can be reproduced using the Virtuoso Docker image for version 7.2.11.

Impact

Exploitation of this vulnerability leads to a crash of the Virtuoso database server, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by creating a SQL file with a proof-of-concept payload that exploits the 'box_deserialize_string' component. After removing any existing Docker container named 'virtdb_test', a new container can be started with the OpenLink Virtuoso-OpenSource 7.2.11 image. Once the server is running, the SQL file can be executed using the 'isql' command-line tool, which interfaces with the Virtuoso database.