Table of Contents
March 19, 2022
|5m
How To Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities In ClickHouse Database Management System
Linux |
Security researchers JFrog have disclosed total multiple new high severity vulnerabilities in ClickHouse, an open-source database management system (DBMS) dedicated to online analytical processing (OLAP). The list is made up of seven vulnerabilities, ranging CVSS score from 6.5 to 8.8. It’s been said that attackers could weaponize these vulnerabilities to leak memory contents, remote code execution, and even crash the servers. Users of the ClickHouse Database Management System should consider reading this post because a user with the lowest privileges can trigger all the vulnerabilities. It is must to learn How to Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities in ClickHouse Database Management System.
What Is ClickHouse Database Management System?
ClickHouse is an open-source, high-performance columnar OLAP database management system developed by Yandex. It enables DB admins to generate holistic analytical reports using SQL queries in real-time.
List Of Other Vulnerabilities Disclosed In ClickHouse Database Management System:
These are the seven vulnerabilities disclosed in ClickHouse Database Management System:
CVE-2021-43304 and CVE-2021-43305– heap buffer overflow vulnerabilities in LZ4 compression codec when parsing a malicious query
CVE-2021-42387 and CVE-2021-42388 – heap out-of-bounds read vulnerabilities in LZ4 compression codec when parsing a malicious query
CVE-2021-42389– divide by zero in Delta compression codec when parsing a malicious query
CVE-2021-42390– divide by zero in Delta-Double compression codec when parsing a malicious query
CVE-2021-42391– divide by zero in Gorilla compression codec when parsing a malicious query
Summary Of Vulnerabilities Disclosed In ClickHouse Database Management System:
All these vulnerabilities are post-authentication vulnerabilities. Attackers need to have a user to exploit these vulnerabilities. Due diligence is required for attackers to obtain user access (with the lowest privileges, such as a user with only read permissions) prior to exploitations. Attackers could weaponize these vulnerabilities to leak memory contents, remote code execution, and even crash the servers.
| CVE ID | Description | Potential Impact | CVSSv3.1 Score |
| CVE-2021-43304 | Heap buffer overflow vulnerability in LZ4 compression codec that could lead to remote code execution when parsing a malicious query | RCE | 8.8 |
| CVE-2021-43305 | Heap buffer overflow vulnerability in LZ4 compression codec that could lead to remote code execution when parsing a malicious query | RCE | 8.8 |
| CVE-2021-42387 | Heap out-of-bounds read vulnerability in LZ4 compression codec that could lead to denial-of-service or information leakage when parsing a malicious query | Denial of Service or Information Leakage | 7.1 |
| CVE-2021-42388 | Heap out-of-bounds read vulnerability in LZ4 compression codec that could lead to denial-of-service or information leakage when parsing a malicious query | Denial of Service or Information Leakage | 7.1 |
| CVE-2021-42389 | Divide-by-zero vulnerability in Delta compression codec that could lead to denial-of-service when parsing a malicious query | Denial of Service | 6.5 |
| CVE-2021-42390 | Divide-by-zero vulnerability in DeltaDouble compression codec that could lead to denial-of-service when parsing a malicious query | Denial of Service | 6.5 |
| CVE-2021-42391 | Divide-by-zero vulnerability in Gorilla compression codec that could lead to denial-of-service when parsing a malicious query | Denial of Service | 6.5 |
ClickHouse Versions Affected By These Vulnerabilities:
All the ClickHouse versions less than thenv21.10.2.15 are vulnerable. We recommend checking the version of ClickHouse on your servers and fixing the CVE-2021-43304(5) vulnerabilities as soon as possible.
How To Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities In ClickHouse Database Management System?
There is no mitigation technique to fix these vulnerabilities in ClickHouse Database Management System. You should update ClickHouse to the v21.10.2.15-stable version to fix the flaws.
If it is not possible to upgrade anytime soon, block access to the web port (8123) and the TCP server’s port (9000) to specific clients on firewalls.
How to Upgrade ClickHouse and Fix CVE-2021-43304(5)?
The upgrade process is very simple and straightforward. We will show you the upgradation process in Ubuntu. However, we will also cover the commands required to upgrade on the RHEL.
Step 1. Check the version of the ClickHouse
Run this command to check the version of ClickHouse.
$ sudo apt list clickhouse-client clickhouse-server
Step 2. Update the repository
$ sudo apt update
Step 3. Download the ClickHouse packages
Create a directory and download all the required packages from here.
$ mkdir ClickHouse
$ cd ClickHouse
$ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-client_21.10.2.15_all.deb
$ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-common-static-dbg_21.10.2.15_amd64.deb
$ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-common-static_21.10.2.15_amd64.deb
$ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-server_21.10.2.15_all.deb
$ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-test_21.10.2.15_all.deb
Install or Upgrade ClickHouse packages
$ chmod +x *.deb
$ sudo apt install /home/arunkl/ClickHouse/*.deb
Step 4. Check the version of the ClickHouse after upgrade
Run this command to check the version of ClickHouse.
$ sudo apt list clickhouse-client clickhouse-server
We hope this post will help you know How to How to Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities in ClickHouse Database Management System. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
