CVE-2021-44493: 
Linux Debian vulnerability analysis and mitigation

A buffer overflow vulnerability was discovered in YottaDB through r1.32 and V7.0-000 and FIS GT.M through V7.0-000. The vulnerability was assigned CVE-2021-44493 and was disclosed in April 2022. The issue affects the $Extract functionality in both YottaDB and FIS GT.M database systems (NVD, CVE).

The vulnerability occurs when crafted input causes a call to $Extract to force a signed integer holding the size of a buffer to take on a large negative number. This negative number is then used as the length of a memcpy call that occurs on the stack, resulting in a buffer overflow. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and a CVSS v2.0 Base Score of 5.0 (MEDIUM) (NVD).

The vulnerability primarily affects system availability. According to the CVSS scoring, while there is no impact on confidentiality or integrity, the vulnerability can cause a high impact on system availability. This is reflected in the CVSS vector string which shows high availability impact (A:H) (NVD).

The vulnerability has been fixed in versions after YottaDB r1.32 and FIS GT.M V7.0-000. Users should upgrade to newer versions to mitigate this vulnerability. For Debian systems, the fix is available in version 7.0-002-1 and later releases (Debian Tracker).

The vulnerability was discovered through fuzz testing of YottaDB, which was part of a broader security testing initiative that uncovered multiple vulnerabilities. This finding was one of 40 bugs fixed in the r1.34 release as part of this testing effort (GitLab Issue).