Cyber Posture

CVE-2024-57664

HighPublic PoC

Published: 14 January 2025

Published
14 January 2025
Modified
17 April 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0011 29.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57664 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Openlinksw Virtuoso. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match
prevent

Directly implements denial-of-service protections to prevent resource exhaustion from crafted SQL statements targeting the sqlg_group_node component.

SC-6 Resource Availability good match
prevent

Protects system resource availability by enforcing limits and throttling on resource allocation exploited by CWE-770 in Virtuoso.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation through patching the specific vulnerability in OpenLink Virtuoso v7.2.11 sqlg_group_node component.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote unauthenticated DoS via crafted SQL exploiting unbounded resource allocation (CWE-770) in a public-facing DB component directly enables T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue in the sqlg_group_node component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

Deeper analysisAI

CVE-2024-57664 is a denial-of-service vulnerability in the sqlg_group_node component of OpenLink Virtuoso OpenSource version 7.2.11. The flaw allows attackers to trigger a DoS condition through specially crafted SQL statements, stemming from an issue classified under CWE-770 (Allocation of Resources Without Limits or Throttling). It carries a CVSS v3.1 base score of 7.5, reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impact on availability with no effects on confidentiality or integrity.

Remote attackers require no authentication or privileges to exploit this vulnerability over the network. By sending crafted SQL statements to a vulnerable Virtuoso instance, they can cause resource exhaustion, leading to service disruption or crash of the affected component, thereby denying service to legitimate users.

The vulnerability is tracked in the official repository at https://github.com/openlink/virtuoso-opensource/issues/1211, where security practitioners can find additional details on the issue, potential workarounds, or patch status.

Details

CWE(s)
CWE-770

Affected Products

openlinksw
virtuoso
7.2.11

CVEs Like This One

CVE-2024-57662Same product: Openlinksw Virtuoso
CVE-2024-57663Same product: Openlinksw Virtuoso
CVE-2024-57659Same product: Openlinksw Virtuoso
CVE-2024-57656Same product: Openlinksw Virtuoso
CVE-2024-57643Same product: Openlinksw Virtuoso
CVE-2024-57652Same product: Openlinksw Virtuoso
CVE-2024-57649Same product: Openlinksw Virtuoso
CVE-2024-57642Same product: Openlinksw Virtuoso
CVE-2024-57661Same product: Openlinksw Virtuoso
CVE-2024-57651Same product: Openlinksw Virtuoso

References