OpenLink Virtuoso-Opensource Denial-of-Service Vulnerability in SQLG Hash Source Component

A denial-of-service vulnerability has been identified in OpenLink Virtuoso-Opensource version 7.2.11. The issue arises in the SQLG hash source component, where attackers can cause a crash by sending crafted SQL statements. This vulnerability can be reproduced using the database management system's fuzzer, and it is also present in the beta Docker image of Virtuoso.

Impact

Exploitation of this vulnerability leads to a crash of the Virtuoso database server, causing a denial-of-service condition where the server becomes unresponsive or unavailable.

Reproduction

The vulnerability can be reproduced by first removing any existing Docker container named 'virtdb_test' and then starting a new Virtuoso container with the DBA password set to 'dba'. After waiting for the server to start, a simple query can be executed to verify that the database is responsive. Once confirmed, the crafted SQL payload that exploits the vulnerability can be executed, causing the server to crash.