OpenLink Virtuoso-OpenSource Denial-of-Service Vulnerability in SQL Distinct Node Component

A denial-of-service vulnerability has been identified in OpenLink Virtuoso-OpenSource version 7.2.11. The issue arises in the 'sqlc_add_distinct_node' component, where attackers can cause a crash by sending specially crafted SQL statements. This vulnerability can be reproduced using the beta Docker image of Virtuoso.

Impact

Exploitation of this vulnerability leads to a crash of the Virtuoso database server, causing a denial-of-service condition where the server becomes unresponsive or unavailable.

Reproduction

The vulnerability can be reproduced by running the OpenLink Virtuoso-OpenSource 7.2.11 Docker image. After starting the container and verifying that the database is running, the crafted SQL payload that triggers the denial-of-service condition can be executed via the 'isql' command-line interface. The SQL payload should be saved to a file and then piped into the 'isql' command, which connects to the running Virtuoso instance.

Remediation

Users can update to the latest version of OpenLink Virtuoso-OpenSource, where this issue has been fixed.