OpenLink Virtuoso-OpenSource Denial-of-Service Vulnerability in SQL Statement Processing

A denial-of-service vulnerability has been identified in OpenLink Virtuoso-OpenSource version 7.2.11. The issue arises in the 'qi_inst_state_free' component, where attackers can cause a crash by executing crafted SQL statements. This vulnerability can be reproduced using the database management system's fuzzer, and it is also present in the beta Docker image of Virtuoso.

Impact

Exploitation of this vulnerability leads to a crash of the Virtuoso database server, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by first creating a SQL file with the crafted SQL statement that triggers the issue. After removing any existing Docker container named 'virtdb_test', a new container can be started with the Virtuoso image, using 'dba' as the password. Once the server is running, the SQL file can be executed using the 'isql' command-line interface, which will cause the server to crash.