OpenLink Virtuoso-OpenSource Denial-of-Service Vulnerability in SQL Vector Update Component

A denial-of-service vulnerability has been identified in OpenLink Virtuoso-OpenSource version 7.2.11. The issue arises in the 'sqlg_vec_upd' component, where attackers can cause a crash by sending specially crafted SQL statements. This vulnerability can be reproduced using the Virtuoso Docker image by executing the proof-of-concept SQL payload through the isql command-line interface.

Impact

Exploitation of this vulnerability leads to a crash of the Virtuoso database server, causing a denial-of-service condition where the server becomes unresponsive or unavailable.

Reproduction

The vulnerability can be reproduced by removing any existing Docker container named 'virtdb_test', then starting a new Virtuoso container with the DBA password set to 'dba'. After waiting for the server to start, verify that the database is responsive by executing a simple SQL query. Once confirmed, the crafted SQL payload that triggers the denial-of-service can be executed, causing the server to crash.

Remediation

Users can upgrade to the latest version of OpenLink Virtuoso-OpenSource, where this vulnerability has been addressed.