Multiple Flaws Uncovered in ClickHouse OLAP Database System for Big Data

Researchers have disclosed seven new security vulnerabilities in an open-source database management system solution called ClickHouse that could be weaponized to crash the servers, leak memory contents, and even lead to the execution of arbitrary code.

"The vulnerabilities require authentication, but can be triggered by any user with read permissions," Uriya Yavnieli and Or Peles, researchers from DevSecOps firm JFrog, said in a report published Tuesday.

"This means the attacker must perform reconnaissance on the specific ClickHouse server target to obtain valid credentials. Any set of credentials would do, since even a user with the lowest privileges can trigger all of the vulnerabilities."

The list of seven flaws is below –

• CVE-2021-43304 and CVE-2021-43305 (CVSS scores: 8.8) – Heap buffer overflow flaws in the LZ4 compression codec that could lead to remote code execution
• CVE-2021-42387 and CVE-2021-42388 (CVSS scores: 7.1) – Heap out-of-bounds read flaws in the LZ4 compression codec that could lead to denial-of-service or information leakage
• CVE-2021-42389 (CVSS score: 6.5) – A divide-by-zero flaw in the Delta compression codec that could result in a denial-of-service condition
• CVE-2021-42390 (CVSS score: 6.5) – A divide-by-zero flaw in the DeltaDouble compression codec that could result in a denial-of-service condition
• CVE-2021-42391 (CVSS score: 6.5) – A divide-by-zero flaw in the Gorilla compression codec that could result in a denial-of-service condition

An attacker can take advantage of any of the aforementioned flaws by using a specially crafted compressed file to crash a vulnerable database server. ClickHouse users are recommended to upgrade to version "v21.10.2.15-stable" or later to mitigate the issues.

The findings come a month after JFrog disclosed details of a high-severity security vulnerability in Apache Cassandra (CVE-2021-44521, CVSS score: 8.4) that, if left unaddressed, could be abused to gain remote code execution (RCE) on affected installations.