Security researchers JFrog have disclosed total multiple new high severity vulnerabilities in ClickHouse, an open-source database management system (DBMS) dedicated to online analytical processing (OLAP). The list is made up of seven vulnerabilities, ranging CVSS score from 6.5 to 8.8. It’s been said that attackers could weaponize these vulnerabilities to leak memory contents, remote code execution, and even crash the servers. Users of the ClickHouse Database Management System should consider reading this post because a user with the lowest privileges can trigger all the vulnerabilities. It is must to learn How to Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities in ClickHouse Database Management System.
Table of Contents
What Is ClickHouse Database Management System?
ClickHouse is an open-source, high-performance columnar OLAP database management system developed by Yandex. It enables DB admins to generate holistic analytical reports using SQL queries in real-time.
List Of Other Vulnerabilities Disclosed In ClickHouse Database Management System:
These are the seven vulnerabilities disclosed in ClickHouse Database Management System:
- CVE-2021-43304 and CVE-2021-43305– heap buffer overflow vulnerabilities in LZ4 compression codec when parsing a malicious query
- CVE-2021-42387 and CVE-2021-42388 – heap out-of-bounds read vulnerabilities in LZ4 compression codec when parsing a malicious query
- CVE-2021-42389– divide by zero in Delta compression codec when parsing a malicious query
- CVE-2021-42390– divide by zero in Delta-Double compression codec when parsing a malicious query
- CVE-2021-42391– divide by zero in Gorilla compression codec when parsing a malicious query
Summary Of Vulnerabilities Disclosed In ClickHouse Database Management System:
All these vulnerabilities are post-authentication vulnerabilities. Attackers need to have a user to exploit these vulnerabilities. Due diligence is required for attackers to obtain user access (with the lowest privileges, such as a user with only read permissions) prior to exploitations. Attackers could weaponize these vulnerabilities to leak memory contents, remote code execution, and even crash the servers.
| CVE ID | Description | Potential Impact | CVSSv3.1 Score |
| CVE-2021-43304 | Heap buffer overflow vulnerability in LZ4 compression codec that could lead to remote code execution when parsing a malicious query | RCE | 8.8 |
| CVE-2021-43305 | Heap buffer overflow vulnerability in LZ4 compression codec that could lead to remote code execution when parsing a malicious query | RCE | 8.8 |
| CVE-2021-42387 | Heap out-of-bounds read vulnerability in LZ4 compression codec that could lead to denial-of-service or information leakage when parsing a malicious query | Denial of Service or Information Leakage | 7.1 |
| CVE-2021-42388 | Heap out-of-bounds read vulnerability in LZ4 compression codec that could lead to denial-of-service or information leakage when parsing a malicious query | Denial of Service or Information Leakage | 7.1 |
| CVE-2021-42389 | Divide-by-zero vulnerability in Delta compression codec that could lead to denial-of-service when parsing a malicious query | Denial of Service | 6.5 |
| CVE-2021-42390 | Divide-by-zero vulnerability in DeltaDouble compression codec that could lead to denial-of-service when parsing a malicious query | Denial of Service | 6.5 |
| CVE-2021-42391 | Divide-by-zero vulnerability in Gorilla compression codec that could lead to denial-of-service when parsing a malicious query | Denial of Service | 6.5 |
ClickHouse Versions Affected By These Vulnerabilities:
All the ClickHouse versions less than thenv21.10.2.15 are vulnerable. We recommend checking the version of ClickHouse on your servers and fixing the CVE-2021-43304(5) vulnerabilities as soon as possible.
How To Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities In ClickHouse Database Management System?
There is no mitigation technique to fix these vulnerabilities in ClickHouse Database Management System. You should update ClickHouse to the v21.10.2.15-stable version to fix the flaws.
If it is not possible to upgrade anytime soon, block the access to the web port (8123) and the TCP server’s port (9000) to specific clients on firewalls.
Time needed: 10 minutes.
How to Upgrade ClickHouse and fix CVE-2021-43304(5)?
The upgradation process is very simple and straight. We will show you the upgradation process in Ubuntu. However, we will also cover the commands required to upgrade on the RHEL.
- Check the version of the ClickHouse
Run this command to check the version of ClickHouse.
$ sudo apt list clickhouse-client clickhouse-server
- Update the repository
$ sudo apt update
- Download the ClickHouse packages
Create a directory and download all the required packages from here.
$ mkdir ClickHouse
$ cd ClickHouse
$ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-client_21.10.2.15_all.deb
$ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-common-static-dbg_21.10.2.15_amd64.deb
$ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-common-static_21.10.2.15_amd64.deb
$ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-server_21.10.2.15_all.deb
$ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-test_21.10.2.15_all.deb
- Install or Upgrade ClickHouse packages
$ chmod +x *.deb
$ sudo apt install /home/arunkl/ClickHouse/*.deb
- Check the version of the ClickHouse after upgrade
Run this command to check the version of ClickHouse.
$ sudo apt list clickhouse-client clickhouse-server
We hope this post will help you know How to How to Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities in ClickHouse Database Management System. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270179.html