CVE-2024-57660 – A SQL injection vulnerability in the sqlo

Q: What is the severity of CVE-2024-57660?

CVE-2024-57660 has a CVSS score of 7.5 (HIGH). A SQL injection vulnerability in the sqlo_expand_jts component of OpenLink Virtuoso Open Source allows attackers to execute crafted SQL statements that cause denial of service. This affects organizations running vulnerable versions of Virtuoso database servers, particularly those exposed to untrusted SQL input.

📋 TL;DR

A SQL injection vulnerability in the sqlo_expand_jts component of OpenLink Virtuoso Open Source allows attackers to execute crafted SQL statements that cause denial of service. This affects organizations running vulnerable versions of Virtuoso database servers, particularly those exposed to untrusted SQL input.

💻 Affected Systems

Products:

OpenLink Virtuoso Open Source

Versions: v7.2.11 and potentially earlier versions

Operating Systems: All platforms running Virtuoso

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation when processing SQL statements through affected component.

📦 What is this software?

Virtuoso by Openlinksw

View all CVEs affecting Virtuoso →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database service disruption requiring restart, potentially leading to extended downtime and data unavailability.

🟠

Likely Case

Temporary service interruption affecting database availability for applications and users.

🟢

If Mitigated

Minimal impact with proper input validation and query sanitization in place.

🌐 Internet-Facing: HIGH - Database servers exposed to internet could be targeted by automated scanning and exploitation attempts.

🏢 Internal Only: MEDIUM - Requires authenticated database access or application-level SQL injection to reach vulnerable component.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to execute SQL statements against the database, typically through application-level access or SQL injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub issue for latest patched version

Vendor Advisory: https://github.com/openlink/virtuoso-opensource/issues/1221

Restart Required: No

Instructions:

1. Monitor GitHub issue #1221 for official patch release. 2. Apply patch when available. 3. Test in non-production environment first. 4. Deploy to production systems.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and SQL query sanitization at application layer

Database User Privilege Reduction

all

Limit database user privileges to minimum required for application functionality

🧯 If You Can't Patch

Implement network segmentation to restrict database access to trusted applications only
Deploy web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check Virtuoso version: SELECT sys_stat('st_dbms_version'); If version is v7.2.11 or earlier, assume vulnerable.

Check Version:

SELECT sys_stat('st_dbms_version');

Verify Fix Applied:

After patching, verify version is updated beyond v7.2.11 and test with controlled SQL statements.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error patterns in database logs
Repeated connection failures or service restarts
Long-running or resource-intensive SQL queries

Network Indicators:

Unusual SQL traffic patterns to database port
Multiple failed SQL connection attempts

SIEM Query:

source="virtuoso.log" AND ("sqlo_expand_jts" OR "DoS" OR "service interruption")

📊 Metadata

CVE ID: CVE-2024-57660

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-89

EPSS Score: 0.47% exploit probability (64.2th percentile)

Published: January 14, 2025

Last Updated: April 17, 2025

🔗 References

https://github.com/openlink/virtuoso-opensource/issues/1221 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57660, you might also want to check these: