Security News > 2022 > March > Multiple Flaws Uncovered in ClickHouse OLAP Database System for Big Data
Researchers have disclosed seven new security vulnerabilities in an open-source database management system solution called ClickHouse that could be weaponized to crash the servers, leak memory contents, and even lead to the execution of arbitrary code.
CVE-2021-43304 and CVE-2021-43305 - Heap buffer overflow flaws in the LZ4 compression codec that could lead to remote code execution.
CVE-2021-42387 and CVE-2021-42388 - Heap out-of-bounds read flaws in the LZ4 compression codec that could lead to denial-of-service or information leakage.
CVE-2021-42389 - A divide-by-zero flaw in the Delta compression codec that could result in a denial-of-service condition.
CVE-2021-42390 - A divide-by-zero flaw in the DeltaDouble compression codec that could result in a denial-of-service condition.
An attacker can take advantage of any of the aforementioned flaws by using a specially crafted compressed file to crash a vulnerable database server.
News URL
https://thehackernews.com/2022/03/multiple-flaws-uncovered-in-clickhouse.html
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-03-14 | CVE-2021-43305 | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. | 8.8 |
2022-03-14 | CVE-2021-43304 | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. | 8.8 |
2022-03-14 | CVE-2021-42390 | Divide By Zero vulnerability in Yandex Clickhouse Divide-by-zero in Clickhouse's DeltaDouble compression codec when parsing a malicious query. | 4.0 |
2022-03-14 | CVE-2021-42389 | Divide By Zero vulnerability in Yandex Clickhouse Divide-by-zero in Clickhouse's Delta compression codec when parsing a malicious query. | 4.0 |
2022-03-14 | CVE-2021-42388 | Out-of-bounds Read vulnerability in multiple products Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. | 8.1 |
2022-03-14 | CVE-2021-42387 | Out-of-bounds Read vulnerability in multiple products Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. | 8.1 |