Login Sign Up

CVE-2024-57640

7.5 HIGH
SQL Injection Denial of Service

📋 TL;DR

A SQL injection vulnerability in the dc_add_int component of OpenLink Virtuoso OpenSource allows attackers to execute crafted SQL statements that cause denial of service. This affects systems running vulnerable versions of Virtuoso database server. Attackers with SQL execution capabilities can exploit this to crash the database service.

💻 Affected Systems

Products:
  • OpenLink Virtuoso OpenSource
Versions: v7.2.11 and potentially earlier versions
Operating Systems: All platforms running Virtuoso
Default Config Vulnerable: ⚠️ Yes
Notes: Any configuration allowing SQL statement execution is vulnerable. Requires ability to execute SQL against the database.

📦 What is this software?

Virtuoso by Openlinksw

View all CVEs affecting Virtuoso →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database service outage requiring restart, potential data corruption if crash occurs during critical operations.

🟠

Likely Case

Database service crash requiring manual restart, temporary unavailability of applications relying on the database.

🟢

If Mitigated

Limited impact with proper input validation and SQL injection protections in place.

🌐 Internet-Facing: HIGH if database is directly exposed to internet or untrusted networks without proper controls.
🏢 Internal Only: MEDIUM for internal databases where attackers need SQL execution privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires SQL execution capability. Exploit involves crafting specific SQL statements targeting the dc_add_int component.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue for latest patched version

Vendor Advisory: https://github.com/openlink/virtuoso-opensource/issues/1184

Restart Required: No

Instructions:

1. Check the GitHub issue for patch availability. 2. Update to the latest patched version. 3. Test in non-production environment first. 4. Apply to production systems during maintenance window.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Implement strict input validation and use parameterized queries/prepared statements for all SQL operations.

Database User Privilege Reduction

all

Limit database user privileges to minimum required, preventing execution of dangerous SQL functions.

🧯 If You Can't Patch

  • Implement network segmentation to isolate database from untrusted networks
  • Deploy web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check Virtuoso version: SELECT sys_stat('st_dbms_ver'); If version is v7.2.11 or earlier, assume vulnerable.

Check Version:

SELECT sys_stat('st_dbms_ver');

Verify Fix Applied:

After patching, verify version is updated and test with safe SQL injection test queries.

📡 Detection & Monitoring

Log Indicators:

  • Database crash logs
  • Unusual SQL error messages
  • Repeated connection failures

Network Indicators:

  • Unusual SQL query patterns targeting dc_add_int
  • Database port becoming unresponsive

SIEM Query:

source="virtuoso.log" AND ("crash" OR "segfault" OR "abnormal termination")

📊 Metadata

CVE ID: CVE-2024-57640
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-89
EPSS Score: 0.6% exploit probability (69th percentile)
Published: January 14, 2025
Last Updated: April 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57640, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)