Security News > 2022 > March > Multiple Flaws Uncovered in ClickHouse OLAP Database System for Big Data

Researchers have disclosed seven new security vulnerabilities in an open-source database management system solution called ClickHouse that could be weaponized to crash the servers, leak memory contents, and even lead to the execution of arbitrary code.

CVE-2021-43304 and CVE-2021-43305 - Heap buffer overflow flaws in the LZ4 compression codec that could lead to remote code execution.

CVE-2021-42387 and CVE-2021-42388 - Heap out-of-bounds read flaws in the LZ4 compression codec that could lead to denial-of-service or information leakage.

CVE-2021-42389 - A divide-by-zero flaw in the Delta compression codec that could result in a denial-of-service condition.

CVE-2021-42390 - A divide-by-zero flaw in the DeltaDouble compression codec that could result in a denial-of-service condition.

An attacker can take advantage of any of the aforementioned flaws by using a specially crafted compressed file to crash a vulnerable database server.

News URL

https://thehackernews.com/2022/03/multiple-flaws-uncovered-in-clickhouse.html