CVE-2024-57655
Published: 14 January 2025
Summary
CVE-2024-57655 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Openlinksw Virtuoso. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2024-57655 is a vulnerability in the dfe_n_in_order component of OpenLink Virtuoso Open-Source version 7.2.11. The issue enables attackers to trigger a Denial of Service (DoS) condition by sending crafted SQL statements, linked to CWE-400 (Uncontrolled Resource Consumption). It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for significant availability impact.
Remote attackers without authentication or privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation leads to resource exhaustion, causing the affected Virtuoso instance to become unresponsive or crash, disrupting services for legitimate users.
Mitigation details and further information are available in the GitHub issue at https://github.com/openlink/virtuoso-opensource/issues/1216.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53687
Vulnerability details
An issue in the dfe_n_in_order component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated DoS via crafted SQL on public-facing DB server maps to public app exploitation and application-layer resource exhaustion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Implements denial-of-service protections at network boundaries to block or limit crafted SQL statements causing resource exhaustion in the dfe_n_in_order component.
Validates SQL inputs to prevent crafted statements from triggering uncontrolled resource consumption leading to DoS in Virtuoso.
Enforces resource allocation limits to mitigate uncontrolled consumption from malicious SQL queries targeting the dfe_n_in_order component.