CVE-2024-57646 – This SQL injection vulnerability in OpenLink Vi... (How to Fix)

Q: What is the severity of CVE-2024-57646?

CVE-2024-57646 has a CVSS score of 7.5 (HIGH). This SQL injection vulnerability in OpenLink Virtuoso's psiginfo component allows attackers to execute crafted SQL statements, potentially causing denial of service. It affects systems running vulnerable versions of Virtuoso Open-Source Edition, particularly those exposed to untrusted SQL input.

📋 TL;DR

This SQL injection vulnerability in OpenLink Virtuoso's psiginfo component allows attackers to execute crafted SQL statements, potentially causing denial of service. It affects systems running vulnerable versions of Virtuoso Open-Source Edition, particularly those exposed to untrusted SQL input.

💻 Affected Systems

Products:

OpenLink Virtuoso Open-Source Edition

Versions: v7.2.11 and potentially earlier versions

Operating Systems: All platforms running Virtuoso

Default Config Vulnerable: ⚠️ Yes

Notes: Systems accepting SQL queries through psiginfo component are vulnerable. Default installations with SQL endpoints enabled are at risk.

📦 What is this software?

Virtuoso by Openlinksw

View all CVEs affecting Virtuoso →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability through resource exhaustion or database corruption, potentially affecting dependent applications.

🟠

Likely Case

Service disruption through CPU/memory exhaustion from malformed SQL queries, requiring restart of Virtuoso service.

🟢

If Mitigated

Minimal impact with proper input validation and query sanitization in place.

🌐 Internet-Facing: HIGH - Directly exposed Virtuoso endpoints accepting SQL could be targeted by automated scanners.

🏢 Internal Only: MEDIUM - Internal users or compromised systems could exploit, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to submit SQL queries to vulnerable component. No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue for latest patched version

Vendor Advisory: https://github.com/openlink/virtuoso-opensource/issues/1199

Restart Required: No

Instructions:

1. Monitor GitHub issue #1199 for official patch release. 2. Update to patched version when available. 3. Test in non-production environment first. 4. Apply to production systems during maintenance window.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for SQL queries passed to psiginfo component

# Configure application-layer validation to reject malformed SQL

Access Restriction

all

Restrict access to Virtuoso SQL endpoints to trusted sources only

# Use firewall rules to limit access to Virtuoso ports (typically 1111, 8890)

🧯 If You Can't Patch

Implement network segmentation to isolate Virtuoso instances from untrusted networks
Deploy web application firewall (WAF) with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check Virtuoso version: if running v7.2.11 or earlier and psiginfo component is enabled, system is likely vulnerable.

Check Version:

SELECT sys_stat('st_dbms_version');

Verify Fix Applied:

After patching, verify version is updated beyond v7.2.11 and test with safe SQL queries to confirm functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns in Virtuoso logs
Multiple failed query attempts
Resource exhaustion warnings

Network Indicators:

Unusual SQL traffic patterns to Virtuoso ports
Requests with malformed SQL syntax

SIEM Query:

source="virtuoso.log" AND ("psiginfo" OR "SQL error" OR "resource exhausted")

📊 Metadata

CVE ID: CVE-2024-57646

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-89

EPSS Score: 0.6% exploit probability (69th percentile)

Published: January 14, 2025

Last Updated: April 17, 2025

🔗 References

https://github.com/openlink/virtuoso-opensource/issues/1199 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57646, you might also want to check these: