CVE-2024-57659

HighPublic PoC

Published: 14 January 2025

Published

14 January 2025

Modified

17 April 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0027 50.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57659 is a high-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Openlinksw Virtuoso. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 49.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation requires patching the specific vulnerability in OpenLink Virtuoso v7.2.11's sqlg_parallel_ts_seq component to prevent DoS exploitation.

SC-5 Denial-of-service Protection good match

preventdetect

Denial-of-service protection directly limits the effects of resource exhaustion attacks triggered by crafted SQL statements in Virtuoso.

SI-10 Information Input Validation partial match

prevent

Information input validation rejects or sanitizes crafted SQL statements before processing to mitigate DoS in the sqlg_parallel_ts_seq component.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote DoS via crafted SQL input exploiting improper resource handling in a public-facing DB application, directly matching application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in the sqlg_parallel_ts_seq component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Deeper analysisAI

CVE-2024-57659 is a vulnerability in the sqlg_parallel_ts_seq component of OpenLink Virtuoso Open-Source version 7.2.11. The issue, associated with CWE-404 (Improper Resource Shutdown or Denial of Service), enables attackers to trigger a Denial of Service (DoS) condition by sending crafted SQL statements. It received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. Successful exploitation results in a DoS, disrupting service availability without compromising confidentiality or integrity.

For mitigation details, security practitioners should review the GitHub issue at https://github.com/openlink/virtuoso-opensource/issues/1212, which documents the vulnerability.

Details

CWE(s): CWE-404

Affected Products

openlinksw

virtuoso

7.2.11

CVEs Like This One

CVE-2024-57661Same product: Openlinksw Virtuoso

CVE-2024-57654Same product: Openlinksw Virtuoso

CVE-2024-57664Same product: Openlinksw Virtuoso

CVE-2024-57643Same product: Openlinksw Virtuoso

CVE-2024-57656Same product: Openlinksw Virtuoso

CVE-2024-57662Same product: Openlinksw Virtuoso

CVE-2024-57652Same product: Openlinksw Virtuoso

CVE-2024-57663Same product: Openlinksw Virtuoso

CVE-2024-57657Same product: Openlinksw Virtuoso

CVE-2024-57637Same product: Openlinksw Virtuoso

References

https://github.com/openlink/virtuoso-opensource/issues/1212
Exploit, Issue Tracking, Vendor Advisory · cve@mitre.org