Login Sign Up

CVE-2021-44490

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows attackers to cause a denial-of-service (DoS) by crashing YottaDB applications through crafted input that triggers an integer miscalculation in memory allocation. Attackers can exploit this to cause segmentation faults and application crashes. Affected users include anyone running vulnerable versions of YottaDB or V7.0-000.

💻 Affected Systems

Products:
  • YottaDB
  • V7.0-000
Versions: YottaDB through r1.32 and V7.0-000
Operating Systems: All supported platforms (Linux, macOS, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Gt.m by Fisglobal

View all CVEs affecting Gt.m →

Yottadb by Yottadb

View all CVEs affecting Yottadb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through application crashes, potentially affecting database availability and dependent applications.

🟠

Likely Case

Denial-of-service through application crashes, requiring restart of affected YottaDB processes.

🟢

If Mitigated

Limited impact if proper input validation and access controls prevent malicious input from reaching vulnerable code.

🌐 Internet-Facing: MEDIUM - While exploitation requires crafted input, internet-facing applications could be targeted for DoS attacks.
🏢 Internal Only: MEDIUM - Internal applications could be crashed by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted input to trigger the vulnerable code path, but no public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: YottaDB r1.34 and later, V7.0-001 and later

Vendor Advisory: https://gitlab.com/YottaDB/DB/YDB/-/issues/828

Restart Required: Yes

Instructions:

1. Download latest YottaDB release from official repository. 2. Follow installation instructions for your platform. 3. Restart all YottaDB processes and dependent applications.

🔧 Temporary Workarounds

Input validation

all

Implement strict input validation to prevent crafted input from reaching the vulnerable op_fnj3 function.

Access controls

all

Restrict access to YottaDB applications to trusted users only.

🧯 If You Can't Patch

  • Implement network segmentation to isolate YottaDB systems from untrusted networks
  • Deploy application-level firewalls or WAFs to filter suspicious input patterns

🔍 How to Verify

Check if Vulnerable:

Check YottaDB version: yottadb -version | grep 'YottaDB release'

Check Version:

yottadb -version

Verify Fix Applied:

Verify version is r1.34+ or V7.0-001+ after patching

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault errors in application logs
  • Unexpected YottaDB process crashes
  • Core dump files in working directories

Network Indicators:

  • Unusual input patterns to YottaDB applications
  • Sudden loss of database connectivity

SIEM Query:

source="yottadb.log" AND ("segmentation fault" OR "SIGSEGV" OR "core dumped")

📊 Metadata

CVE ID: CVE-2021-44490
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-682
Published: April 15, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44490, you might also want to check these:

CVE-2023-2163 10.0

A Linux kernel vulnerability in the BPF verifier incorrectly marks unsafe code paths as safe, allowi...

Same vulnerability type (CWE-682)
CVE-2026-1229 9.8

A cryptographic vulnerability in CIRCL's P-384 elliptic curve implementation produces incorrect Comb...

Same vulnerability type (CWE-682)
CVE-2024-36736 9.8

CVE-2024-36736 is a critical vulnerability in OneFlow's permute component that causes incorrect calc...

Same vulnerability type (CWE-682)