CVE-2024-57647 – A SQL injection vulnerability in the row

Q: What is the severity of CVE-2024-57647?

CVE-2024-57647 has a CVSS score of 7.5 (HIGH). A SQL injection vulnerability in the row_insert_cast component of OpenLink Virtuoso OpenSource allows attackers to execute crafted SQL statements that cause denial of service. This affects systems running vulnerable versions of the Virtuoso database server. Database administrators and applications using Virtuoso as their backend are at risk.

📋 TL;DR

A SQL injection vulnerability in the row_insert_cast component of OpenLink Virtuoso OpenSource allows attackers to execute crafted SQL statements that cause denial of service. This affects systems running vulnerable versions of the Virtuoso database server. Database administrators and applications using Virtuoso as their backend are at risk.

💻 Affected Systems

Products:

OpenLink Virtuoso OpenSource

Versions: v7.2.11 and potentially earlier versions

Operating Systems: All platforms running Virtuoso

Default Config Vulnerable: ⚠️ Yes

Notes: Any system with Virtuoso database exposed to untrusted SQL input is vulnerable. Default installations are likely affected.

📦 What is this software?

Virtuoso by Openlinksw

View all CVEs affecting Virtuoso →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database unavailability through resource exhaustion or crash, disrupting all dependent applications and services.

🟠

Likely Case

Partial or intermittent service degradation affecting database performance and availability for users.

🟢

If Mitigated

Minimal impact with proper input validation, query parameterization, and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to execute SQL statements against the database, typically through application interfaces or direct database access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue for latest patched version

Vendor Advisory: https://github.com/openlink/virtuoso-opensource/issues/1207

Restart Required: No

Instructions:

1. Monitor the GitHub issue for patch release. 2. Update to the patched version when available. 3. Test in non-production environment first. 4. Apply to production systems during maintenance window.

🔧 Temporary Workarounds

Input Validation and Parameterization

all

Implement strict input validation and use parameterized queries/prepared statements for all database operations.

Network Access Restrictions

all

Restrict database access to only trusted application servers and administrators using firewall rules.

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection detection rules
Monitor database performance metrics and logs for unusual query patterns

🔍 How to Verify

Check if Vulnerable:

Check Virtuoso version: SELECT sys_stat('st_dbms_version'); If version is v7.2.11 or earlier, assume vulnerable.

Check Version:

SELECT sys_stat('st_dbms_version');

Verify Fix Applied:

After patching, verify version is updated and test with safe SQL injection test queries.

📡 Detection & Monitoring

Log Indicators:

Unusually complex SQL queries
Multiple failed query attempts
Database crash/restart events
High CPU/memory usage from database processes

Network Indicators:

Unusual SQL query patterns from application servers
Multiple connection attempts with malformed queries

SIEM Query:

source="virtuoso.log" AND ("error" OR "crash" OR "timeout") AND "sql"

📊 Metadata

CVE ID: CVE-2024-57647

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-89

EPSS Score: 0.6% exploit probability (69th percentile)

Published: January 14, 2025

Last Updated: April 17, 2025

🔗 References

https://github.com/openlink/virtuoso-opensource/issues/1207 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57647, you might also want to check these: