[German]Security researchers have discovered a critical vulnerability (Magellan) in the widely used SQLite database software. This could allow attackers to remotely execute arbitrary or malicious code on affected devices.
SQLite is a widely used relational database management system that has minimal requirements from operating systems or external libraries. Therefore it is compatible with almost all devices, platforms and programming languages and is widely used for data storage in app and application development.
The SQLite vulnerability
The Hacker News reported here that Tencent’s Blade security team has discovered a vulnerability, named Magellan, in SQLite. This vulnerability in in older SQLite versions could allow attackers to execute arbitrary code on affected devices over the Internet or a network.
The problem is that SQL is not only used by millions of apps and applications, but also by browsers based on Chromium. So anyone using an SQL dependant app, application or Chromium-based browser may be vulnerable.
So far, however, the discoverers of the vulnerability have not been aware of any cases in which it has been exploited. For security reasons, security specialists do not disclose details of the vulnerability.
When will the vulnerability be fixed?
SQLite has released version 3.26.0, which fixes the bug. Users can only rely on developers who use SQLite in their apps and applications to create and deliver an update of the SQLite libraries used to this version.
For the Google Chrome browser and all other browsers based on Chromium, the SQLite vulnerability should be fixed with Chromium version 71.0.3578.80 (released December 4, 2018).