CVE-2021-44500 – This vulnerability in FIS GT.M and YottaDB allo... (How to Fix)

Q: What is the severity of CVE-2021-44500?

CVE-2021-44500 has a CVSS score of 7.5 (HIGH). This vulnerability in FIS GT.M and YottaDB allows attackers to crash applications by triggering a divide-by-zero error through improper input validation. It affects systems running vulnerable versions of these database management systems. The crash can lead to denial of service and potential data corruption.

📋 TL;DR

This vulnerability in FIS GT.M and YottaDB allows attackers to crash applications by triggering a divide-by-zero error through improper input validation. It affects systems running vulnerable versions of these database management systems. The crash can lead to denial of service and potential data corruption.

💻 Affected Systems

Products:

FIS GT.M
YottaDB

Versions: FIS GT.M through V7.0-000 and related YottaDB versions

Operating Systems: All supported platforms (Linux, UNIX variants)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the core database engine, so all installations of vulnerable versions are affected regardless of configuration.

📦 What is this software?

Gt.m by Fisglobal

View all CVEs affecting Gt.m →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to denial of service, potential data corruption, and system instability requiring manual intervention to restore service.

🟠

Likely Case

Application crash causing temporary service disruption until the process is restarted, potentially affecting database availability and dependent applications.

🟢

If Mitigated

Minimal impact if proper input validation and error handling are implemented at the application layer, with quick recovery through automated restart mechanisms.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires specific function calls, internet-facing applications using these databases could be targeted for DoS attacks.

🏢 Internal Only: MEDIUM - Internal applications could be affected by malicious insiders or compromised internal systems, but attack surface is more limited.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the ability to trigger specific function calls in the database engine, typically through application-level access. The divide-by-zero mechanism is straightforward to trigger once the vulnerable code path is accessed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FIS GT.M V7.0-002 and later, corresponding YottaDB patches

Vendor Advisory: http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html

Restart Required: Yes

Instructions:

1. Download the patched version from the official source. 2. Backup all databases and configuration files. 3. Stop all database processes. 4. Install the updated version following vendor instructions. 5. Restart database services. 6. Verify the update was successful.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement application-level input validation to prevent passing zero or invalid values to division operations

# Application code modifications required - no single command

Process monitoring and auto-restart

linux

Configure monitoring to detect crashes and automatically restart database processes

# Use systemd, supervisor, or similar: systemctl enable gtm
# Configure restart policies in service configuration

🧯 If You Can't Patch

Implement strict input validation in all applications using the database to prevent zero values in division operations
Deploy monitoring and alerting for database crashes with rapid response procedures

🔍 How to Verify

Check if Vulnerable:

Check the GT.M/YottaDB version: mumps -version or view the release notes for version information

Check Version:

mumps -version

Verify Fix Applied:

Confirm version is V7.0-002 or later: mumps -version | grep 'V7.0-002' or higher

📡 Detection & Monitoring

Log Indicators:

Database process crashes
Divide-by-zero error messages in application logs
Core dumps in database directories

SIEM Query:

source="database.logs" AND ("divide by zero" OR "floating point exception" OR "SIGFPE")

📊 Metadata

CVE ID: CVE-2021-44500

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-369

Published: April 15, 2022

Last Updated: November 21, 2024

🔗 References

http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html Release Notes,Third Party Advisory
https://gitlab.com/YottaDB/DB/YDB/-/issues/828 Issue Tracking,Patch,Third Party Advisory
https://sourceforge.net/projects/fis-gtm/files/ Product,Third Party Advisory
http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html Release Notes,Third Party Advisory
https://gitlab.com/YottaDB/DB/YDB/-/issues/828 Issue Tracking,Patch,Third Party Advisory
https://sourceforge.net/projects/fis-gtm/files/ Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44500, you might also want to check these: