• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities In ClickHouse Database Management System
How to Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities in ClickHouse Database Management System

Security researchers JFrog have disclosed total multiple new high severity vulnerabilities in ClickHouse, an open-source database management system (DBMS) dedicated to online analytical processing (OLAP). The list is made up of seven vulnerabilities, ranging CVSS score from 6.5 to 8.8. It’s been said that attackers could weaponize these vulnerabilities to leak memory contents, remote code execution, and even crash the servers. Users of the ClickHouse Database Management System should consider reading this post because a user with the lowest privileges can trigger all the vulnerabilities. It is must to learn How to Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities in ClickHouse Database Management System.

What Is ClickHouse Database Management System?

ClickHouse is an open-source, high-performance columnar OLAP database management system developed by Yandex. It enables DB admins to generate holistic analytical reports using SQL queries in real-time.

List Of Other Vulnerabilities Disclosed In ClickHouse Database Management System:

These are the seven vulnerabilities disclosed in ClickHouse Database Management System:

  • CVE-2021-43304 and CVE-2021-43305– heap buffer overflow vulnerabilities in LZ4 compression codec when parsing a malicious query
  • CVE-2021-42387 and CVE-2021-42388 – heap out-of-bounds read vulnerabilities in LZ4 compression codec when parsing a malicious query
  • CVE-2021-42389– divide by zero in Delta compression codec when parsing a malicious query
  • CVE-2021-42390– divide by zero in Delta-Double compression codec when parsing a malicious query
  • CVE-2021-42391– divide by zero in Gorilla compression codec when parsing a malicious query

Summary Of Vulnerabilities Disclosed In ClickHouse Database Management System:

All these vulnerabilities are post-authentication vulnerabilities. Attackers need to have a user to exploit these vulnerabilities. Due diligence is required for attackers to obtain user access (with the lowest privileges, such as a user with only read permissions) prior to exploitations. Attackers could weaponize these vulnerabilities to leak memory contents, remote code execution, and even crash the servers.

CVE IDDescriptionPotential ImpactCVSSv3.1 Score
CVE-2021-43304Heap buffer overflow vulnerability in LZ4 compression codec that could lead to remote code execution when parsing a malicious queryRCE8.8
CVE-2021-43305Heap buffer overflow vulnerability in LZ4 compression codec that could lead to remote code execution when parsing a malicious queryRCE8.8
CVE-2021-42387Heap out-of-bounds read vulnerability  in LZ4 compression codec that could lead to denial-of-service or information leakage when parsing a malicious queryDenial of Service or Information Leakage7.1
CVE-2021-42388Heap out-of-bounds read vulnerability  in LZ4 compression codec that could lead to denial-of-service or information leakage when parsing a malicious queryDenial of Service or Information Leakage7.1
CVE-2021-42389Divide-by-zero vulnerability in Delta compression codec that could lead to denial-of-service when parsing a malicious queryDenial of Service6.5
CVE-2021-42390Divide-by-zero vulnerability in DeltaDouble compression codec that could lead to denial-of-service when parsing a malicious queryDenial of Service6.5
CVE-2021-42391Divide-by-zero vulnerability in Gorilla compression codec that could lead to denial-of-service when parsing a malicious queryDenial of Service6.5

ClickHouse Versions Affected By These Vulnerabilities:

All the ClickHouse versions less than thenv21.10.2.15 are vulnerable. We recommend checking the version of ClickHouse on your servers and fixing the CVE-2021-43304(5) vulnerabilities as soon as possible. 

How To Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities In ClickHouse Database Management System?

There is no mitigation technique to fix these vulnerabilities in ClickHouse Database Management System. You should update ClickHouse to the v21.10.2.15-stable version to fix the flaws.

If it is not possible to upgrade anytime soon, block the access to the web port (8123) and the TCP server’s port (9000) to specific clients on firewalls.

Time needed: 10 minutes.

How to Upgrade ClickHouse and fix CVE-2021-43304(5)?

The upgradation process is very simple and straight. We will show you the upgradation process in Ubuntu. However, we will also cover the commands required to upgrade on the RHEL.

  1. Check the version of the ClickHouse

    Run this command to check the version of ClickHouse.

    $ sudo apt list clickhouse-client clickhouse-serverCheck the version of the ClickHouse

  2. Update the repository

    $ sudo apt updateUpdate the repository

  3. Download the ClickHouse packages

    Create a directory and download all the required packages from here.

    $ mkdir ClickHouse

    $ cd ClickHouse

    $ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-client_21.10.2.15_all.deb

    $ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-common-static-dbg_21.10.2.15_amd64.deb

    $ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-common-static_21.10.2.15_amd64.deb

    $ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-server_21.10.2.15_all.deb

    $ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-test_21.10.2.15_all.deb

  4. Install or Upgrade ClickHouse packages

    $ chmod +x *.deb

    $ sudo apt install /home/arunkl/ClickHouse/*.debInstall or Upgrade ClickHouse packages

  5. Check the version of the ClickHouse after upgrade

    Run this command to check the version of ClickHouse.

    $ sudo apt list clickhouse-client clickhouse-serverCheck the version of the ClickHouse after upgrade

We hope this post will help you know How to How to Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities in ClickHouse Database Management System. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

To know more about me. Follow me on LinkedIn
Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.