CVE-2024-57662
Published: 14 January 2025
Summary
CVE-2024-57662 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Openlinksw Virtuoso. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of the specific flaw in the sqlg_hash_source component, including application of patches referenced in the Virtuoso GitHub issue.
Implements architectural and configuration-based protections to limit the effects of DoS attacks causing resource exhaustion via crafted SQL statements.
Establishes defined limits and quotas on resource allocation to prevent unbounded consumption during processing of malicious SQL inputs in the vulnerable component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE directly describes remote exploitation of an application vulnerability (crafted SQL causing unbounded resource allocation) to crash or exhaust the service, matching T1499.004 Application or System Exploitation for Endpoint Denial of Service.
NVD Description
An issue in the sqlg_hash_source component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Deeper analysisAI
CVE-2024-57662 affects the sqlg_hash_source component in OpenLink Virtuoso Open-Source edition version 7.2.11. The vulnerability allows attackers to trigger a Denial of Service (DoS) condition by sending crafted SQL statements. It is associated with CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.
Remote attackers require no authentication or privileges and can exploit this over the network with low complexity and no user interaction. By submitting malicious SQL statements to the affected component, they can cause resource exhaustion, leading to service disruption or crashes on vulnerable instances.
The GitHub issue at https://github.com/openlink/virtuoso-opensource/issues/1217 provides additional details on the vulnerability, including potential mitigation steps or patches for OpenLink Virtuoso Open-Source. Security practitioners should review this reference for remediation guidance specific to their deployments.
Details
- CWE(s)