Cyber Resilience

CVE-2024-57655

HighPublic PoCDDoS

Published: 14 January 2025

Published
14 January 2025
Modified
17 April 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0021 43.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57655 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Openlinksw Virtuoso. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2024-57655 is a vulnerability in the dfe_n_in_order component of OpenLink Virtuoso Open-Source version 7.2.11. The issue enables attackers to trigger a Denial of Service (DoS) condition by sending crafted SQL statements, linked to CWE-400 (Uncontrolled Resource Consumption). It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for significant availability impact.

Remote attackers without authentication or privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation leads to resource exhaustion, causing the affected Virtuoso instance to become unresponsive or crash, disrupting services for legitimate users.

Mitigation details and further information are available in the GitHub issue at https://github.com/openlink/virtuoso-opensource/issues/1216.

EU & UK References

Vulnerability details

An issue in the dfe_n_in_order component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Direct remote unauthenticated DoS via crafted SQL on public-facing DB server maps to public app exploitation and application-layer resource exhaustion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-57636Same product: Openlinksw Virtuoso
CVE-2024-57645Same product: Openlinksw Virtuoso
CVE-2024-57646Same product: Openlinksw Virtuoso
CVE-2024-57644Same product: Openlinksw Virtuoso
CVE-2024-57650Same product: Openlinksw Virtuoso
CVE-2024-57640Same product: Openlinksw Virtuoso
CVE-2024-57637Same product: Openlinksw Virtuoso
CVE-2024-57660Same product: Openlinksw Virtuoso
CVE-2024-57663Same product: Openlinksw Virtuoso
CVE-2024-57641Same product: Openlinksw Virtuoso

Affected Assets

openlinksw
virtuoso
7.2.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Implements denial-of-service protections at network boundaries to block or limit crafted SQL statements causing resource exhaustion in the dfe_n_in_order component.

prevent

Validates SQL inputs to prevent crafted statements from triggering uncontrolled resource consumption leading to DoS in Virtuoso.

prevent

Enforces resource allocation limits to mitigate uncontrolled consumption from malicious SQL queries targeting the dfe_n_in_order component.

References