Login Sign Up

CVE-2024-57635

7.5 HIGH
SQL Injection Denial of Service

📋 TL;DR

This SQL injection vulnerability in OpenLink Virtuoso's chash_array component allows attackers to execute crafted SQL statements that cause denial of service. It affects systems running vulnerable versions of Virtuoso Open-Source Edition. Database administrators and applications using Virtuoso as their backend are primarily affected.

💻 Affected Systems

Products:
  • OpenLink Virtuoso Open-Source Edition
Versions: v7.2.11 and potentially earlier versions
Operating Systems: All platforms running Virtuoso
Default Config Vulnerable: ⚠️ Yes
Notes: Any system using the chash_array component with SQL queries is vulnerable. The vulnerability is in the core database engine.

📦 What is this software?

Virtuoso by Openlinksw

View all CVEs affecting Virtuoso →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database unavailability requiring restart, potential data corruption if DoS occurs during critical operations

🟠

Likely Case

Temporary service disruption affecting database queries and dependent applications

🟢

If Mitigated

Minimal impact with proper input validation and query sanitization in place

🌐 Internet-Facing: HIGH - SQL injection vulnerabilities are easily exploitable if database endpoints are exposed
🏢 Internal Only: MEDIUM - Lower risk if only internal applications access database, but still exploitable by malicious insiders or compromised internal systems

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to execute SQL statements against the database. Complexity depends on application's input validation and query construction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue for latest patched version

Vendor Advisory: https://github.com/openlink/virtuoso-opensource/issues/1182

Restart Required: No

Instructions:

1. Monitor the GitHub issue for patch release. 2. Update to the patched version when available. 3. Test in non-production environment first. 4. Apply to production systems during maintenance window.

🔧 Temporary Workarounds

Input Validation and Query Sanitization

all

Implement strict input validation and parameterized queries to prevent SQL injection

Database Access Restrictions

all

Limit database access to only trusted applications and users

🧯 If You Can't Patch

  • Implement web application firewall (WAF) with SQL injection rules
  • Monitor database logs for unusual SQL patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check if running Virtuoso v7.2.11 or earlier versions. Review application code for use of chash_array component.

Check Version:

SELECT sys_stat('st_dbms_version');

Verify Fix Applied:

After patching, test with safe SQL queries that previously triggered the issue. Monitor for any DoS symptoms.

📡 Detection & Monitoring

Log Indicators:

  • Unusually long or complex SQL queries
  • Database crash/restart events
  • High CPU/memory usage spikes

Network Indicators:

  • Multiple failed SQL queries from single source
  • Unusual query patterns to database endpoints

SIEM Query:

source="virtuoso.log" AND ("error" OR "crash" OR "timeout") AND "sql"

📊 Metadata

CVE ID: CVE-2024-57635
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-89
EPSS Score: 0.92% exploit probability (75.6th percentile)
Published: January 14, 2025
Last Updated: April 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57635, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)