Several Flaws Discovered in ClickHouse OLAP Database System for Big Data

Researchers have revealed seven new security vulnerabilities in an open-source database management system solution called ClickHouse which could be weaponized to crash servers, leak the contents of memory, and even lead to the execution of arbitrary code.

“The vulnerabilities require authentication, but can be triggered by any user with read permissions,” said Uriya Yavnieli and Or Peles, researchers at DevSecOps firm JFrog. noted in a report released Tuesday.

“This means the attacker must perform reconnaissance on the specific target of the ClickHouse server to obtain valid credentials. Any set of credentials would do, as even a user with privileges the lowest can trigger all vulnerabilities.”

Automatic GitHub backups

The list of seven faults is below –

  • CVE-2021-43304 and CVE-2021-43305 (CVSS Scores: 8.8) – Buffer overflow faults in LZ4 compression codec that can lead to remote code execution
  • CVE-2021-42387 and CVE-2021-42388 (CVSS scores: 7.1) – Bunch of out-of-bounds playback defects in LZ4 compression codec that could lead to denial of service or information leak
  • CVE-2021-42389 (CVSS score: 6.5) – A divide-by-zero flaw in the Delta compression codec that could lead to a denial of service condition
  • CVE-2021-42390 (CVSS score: 6.5) – A divide-by-zero flaw in the DeltaDouble compression codec that could lead to a denial of service condition
  • CVE-2021-42391 (CVSS score: 6.5) – A divide-by-zero flaw in the Gorilla compression codec that could lead to a denial of service condition
Prevent Data Breaches

An attacker can take advantage of one of the aforementioned flaws by using a specially crafted compressed file to crash a vulnerable database server. ClickHouse users are recommended to upgrade to “v21.10.2.15-stable” or later to alleviate the problems.

The findings come a month after JFrog disclosed details of a high-severity security vulnerability in Apache Cassandra (CVE-2021-44521, CVSS score: 8.4) that, if left unaddressed, could be misused to achieve Remote Code Execution (RCE) on facilities.

Comments are closed.