Multiple Flaws Discovered in ClickHouse OLAP Database System for Big Data

Researchers have disclosed seven new security vulnerabilities in a management system solution database open source named ClickHouse can be weaponized to crash the server, leak memory contents, and even lead to arbitrary code execution.

“The vulnerabilities require authentication, but can be triggered by any user with read permission,” Uriya Yavnieli and Or Peles, researchers from DevSecOps firm JFrog, said in a published report. Dad on Tuesday.

“This means that an attacker must perform reconnaissance on a specific ClickHouse server target to obtain valid credentials. Any set of credentials will do, as even the most privileged user can trigger all the vulnerabilities.”

Here is a list of seven flaws –

CVE-2021-43304 and CVE-2021-43305 (CVSS Score: 8.8) – Heap Buffer Overflow Vulnerability in LZ4 compression codec could lead to remote code execution
CVE-2021-42387 and CVE-2021-42388 (CVSS Score: 7.1) – Heaps of out-of-bounds read errors in the LZ4 compression codec that can lead to denial of service or information leaks
CVE-2021-42389 (CVSS Score: 6.5) – A divide-by-zero vulnerability in the Delta compression codec that could lead to denial of service
CVE-2021-42390 (CVSS Score: 6.5) – A divide-by-zero vulnerability in the DeltaDouble compression codec could lead to denial of service
CVE-2021-42391 (CVSS Score: 6.5) – A divide-by-zero vulnerability in the Gorilla compression codec that could lead to a denial of service

An attacker could take advantage of any of these vulnerabilities by using a specially crafted archive to crash a database server vulnerable to attack. ClickHouse users are advised to upgrade to version “v21.10.2.15-stable” or later to minimize issues.

The discovery comes a month after JFrog disclosed details of a high-severity vulnerability in Apache Cassandra (CVE-2021-44521, CVSS score: 8.4) that, if left unaddressed, could be abused for remote code execution (RCE) when the installation is affected.

.