Security News > 2022 > March > Multiple Flaws Uncovered in ClickHouse OLAP Database System for Big Data

Multiple Flaws Uncovered in ClickHouse OLAP Database System for Big Data
2022-03-16 00:53

Researchers have disclosed seven new security vulnerabilities in an open-source database management system solution called ClickHouse that could be weaponized to crash the servers, leak memory contents, and even lead to the execution of arbitrary code.

CVE-2021-43304 and CVE-2021-43305 - Heap buffer overflow flaws in the LZ4 compression codec that could lead to remote code execution.

CVE-2021-42387 and CVE-2021-42388 - Heap out-of-bounds read flaws in the LZ4 compression codec that could lead to denial-of-service or information leakage.

CVE-2021-42389 - A divide-by-zero flaw in the Delta compression codec that could result in a denial-of-service condition.

CVE-2021-42390 - A divide-by-zero flaw in the DeltaDouble compression codec that could result in a denial-of-service condition.

An attacker can take advantage of any of the aforementioned flaws by using a specially crafted compressed file to crash a vulnerable database server.


News URL

https://thehackernews.com/2022/03/multiple-flaws-uncovered-in-clickhouse.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-03-14 CVE-2021-43305 Out-of-bounds Write vulnerability in multiple products
Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query.
network
low complexity
yandex debian CWE-787
8.8
2022-03-14 CVE-2021-43304 Out-of-bounds Write vulnerability in multiple products
Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query.
network
low complexity
yandex debian CWE-787
8.8
2022-03-14 CVE-2021-42390 Divide By Zero vulnerability in Yandex Clickhouse
Divide-by-zero in Clickhouse's DeltaDouble compression codec when parsing a malicious query.
network
low complexity
yandex CWE-369
6.5
2022-03-14 CVE-2021-42389 Divide By Zero vulnerability in Yandex Clickhouse
Divide-by-zero in Clickhouse's Delta compression codec when parsing a malicious query.
network
low complexity
yandex CWE-369
6.5
2022-03-14 CVE-2021-42388 Out-of-bounds Read vulnerability in multiple products
Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query.
network
low complexity
yandex debian CWE-125
8.1
2022-03-14 CVE-2021-42387 Out-of-bounds Read vulnerability in multiple products
Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query.
network
low complexity
yandex debian CWE-125
8.1