CVE-2024-57651 – This SQL injection vulnerability in the jp

Q: What is the severity of CVE-2024-57651?

CVE-2024-57651 has a CVSS score of 7.5 (HIGH). This SQL injection vulnerability in the jp_add component of OpenLink Virtuoso allows attackers to execute crafted SQL statements that can crash the database service, causing denial of service. It affects organizations running vulnerable versions of Virtuoso OpenSource as their database backend.

📋 TL;DR

This SQL injection vulnerability in the jp_add component of OpenLink Virtuoso allows attackers to execute crafted SQL statements that can crash the database service, causing denial of service. It affects organizations running vulnerable versions of Virtuoso OpenSource as their database backend.

💻 Affected Systems

Products:

OpenLink Virtuoso OpenSource

Versions: v7.2.11 and potentially earlier versions

Operating Systems: All platforms running Virtuoso

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems where the jp_add component is accessible and processes SQL statements.

📦 What is this software?

Virtuoso by Openlinksw

View all CVEs affecting Virtuoso →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database service outage, making all dependent applications unavailable until service is restored.

🟠

Likely Case

Intermittent service disruptions affecting application availability and user experience.

🟢

If Mitigated

Minimal impact with proper input validation and query sanitization in place.

🌐 Internet-Facing: HIGH - If the database endpoint is exposed to the internet, attackers can directly trigger DoS.

🏢 Internal Only: MEDIUM - Internal users or compromised systems could still cause service disruption.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to submit SQL statements to the vulnerable component. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue for latest patched version

Vendor Advisory: https://github.com/openlink/virtuoso-opensource/issues/1196

Restart Required: No

Instructions:

1. Monitor the GitHub issue for patch release. 2. Update to the patched version when available. 3. Test in non-production environment first.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and SQL query sanitization for all user inputs passed to jp_add component.

Network Segmentation

all

Restrict access to Virtuoso database endpoints to only trusted applications and users.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block suspicious SQL patterns
Monitor database logs for unusual query patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check if running Virtuoso v7.2.11 or earlier and if jp_add component is accessible.

Check Version:

SELECT DB.DBA.SYS_VERSION();

Verify Fix Applied:

Verify version is updated beyond v7.2.11 and test with safe SQL queries.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error patterns in database logs
Multiple connection failures or service restarts

Network Indicators:

Unusual SQL query patterns to database endpoints
Increased error responses from database

SIEM Query:

source="virtuoso.log" AND ("sql error" OR "segmentation fault" OR "service crash")

📊 Metadata

CVE ID: CVE-2024-57651

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-89

EPSS Score: 0.92% exploit probability (75.6th percentile)

Published: January 14, 2025

Last Updated: April 17, 2025

🔗 References

https://github.com/openlink/virtuoso-opensource/issues/1196 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57651, you might also want to check these: