How To Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities In ClickHouse Database Management System


Security researchers JFrog have disclosed total multiple new high severity vulnerabilities in ClickHouse, an open-source database management system (DBMS) dedicated to online analytical processing (OLAP). The list is made up of seven vulnerabilities, ranging CVSS score from 6.5 to 8.8. It’s been said that attackers could weaponize these vulnerabilities to leak memory contents, remote code execution, and even crash the servers. Users of the ClickHouse Database Management System should consider reading this post because a user with the lowest privileges can trigger all the vulnerabilities. It is must to learn How to Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities in ClickHouse Database Management System.

What Is ClickHouse Database Management System?

ClickHouse is an open-source, high-performance columnar OLAP database management system developed by Yandex. It enables DB admins to generate holistic analytical reports using SQL queries in real-time.

List Of Other Vulnerabilities Disclosed In ClickHouse Database Management System:

These are the seven vulnerabilities disclosed in ClickHouse Database Management System:

  • CVE-2021-43304 and CVE-2021-43305– heap buffer overflow vulnerabilities in LZ4 compression codec when parsing a malicious query
  • CVE-2021-42387 and CVE-2021-42388 – heap out-of-bounds read vulnerabilities in LZ4 compression codec when parsing a malicious query
  • CVE-2021-42389– divide by zero in Delta compression codec when parsing a malicious query
  • CVE-2021-42390– divide by zero in Delta-Double compression codec when parsing a malicious query
  • CVE-2021-42391– divide by zero in Gorilla compression codec when parsing a malicious query

Summary Of Vulnerabilities Disclosed In ClickHouse Database Management System:

All these vulnerabilities are post-authentication vulnerabilities. Attackers need to have a user to exploit these vulnerabilities. Due diligence is required for attackers to obtain user access (with the lowest privileges, such as a user with only read permissions) prior to exploitations. Attackers could weaponize these vulnerabilities to leak memory contents, remote code execution, and even crash the servers.

See also  What is the New ‘Screenshotter’ Malware? Who is Behind It? How to Detect and Mitigate the Presence of Screenshotter Malware?
CVE ID Description Potential Impact CVSSv3.1 Score
CVE-2021-43304 Heap buffer overflow vulnerability in LZ4 compression codec that could lead to remote code execution when parsing a malicious query RCE 8.8
CVE-2021-43305 Heap buffer overflow vulnerability in LZ4 compression codec that could lead to remote code execution when parsing a malicious query RCE 8.8
CVE-2021-42387 Heap out-of-bounds read vulnerability  in LZ4 compression codec that could lead to denial-of-service or information leakage when parsing a malicious query Denial of Service or Information Leakage 7.1
CVE-2021-42388 Heap out-of-bounds read vulnerability  in LZ4 compression codec that could lead to denial-of-service or information leakage when parsing a malicious query Denial of Service or Information Leakage 7.1
CVE-2021-42389 Divide-by-zero vulnerability in Delta compression codec that could lead to denial-of-service when parsing a malicious query Denial of Service 6.5
CVE-2021-42390 Divide-by-zero vulnerability in DeltaDouble compression codec that could lead to denial-of-service when parsing a malicious query Denial of Service 6.5
CVE-2021-42391 Divide-by-zero vulnerability in Gorilla compression codec that could lead to denial-of-service when parsing a malicious query Denial of Service 6.5

ClickHouse Versions Affected By These Vulnerabilities:

All the ClickHouse versions less than thenv21.10.2.15 are vulnerable. We recommend checking the version of ClickHouse on your servers and fixing the CVE-2021-43304(5) vulnerabilities as soon as possible. 

 

See Also Tips to Harden Your WordPress Website

How To Fix CVE-2021-43304(5)- Heap Buffer Overflow Vulnerabilities In ClickHouse Database Management System?

There is no mitigation technique to fix these vulnerabilities in ClickHouse Database Management System. You should update ClickHouse to the v21.10.2.15-stable version to fix the flaws.

If it is not possible to upgrade anytime soon, block the access to the web port (8123) and the TCP server’s port (9000) to specific clients on firewalls.

See also  The Bard- Google’s AI Assistant

Time needed: 10 minutes.

How to Upgrade ClickHouse and fix CVE-2021-43304(5)?

The upgradation process is very simple and straight. We will show you the upgradation process in Ubuntu. However, we will also cover the commands required to upgrade on the RHEL.

  1. Check the version of the ClickHouseRun this command to check the version of ClickHouse.

    $ sudo apt list clickhouse-client clickhouse-serverCheck the version of the ClickHouse
  2. Update the repository$ sudo apt updateUpdate the repository
  3. Download the ClickHouse packagesCreate a directory and download all the required packages from here.

    $ mkdir ClickHouse

    $ cd ClickHouse

    $ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-client_21.10.2.15_all.deb

    $ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-common-static-dbg_21.10.2.15_amd64.deb

    $ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-common-static_21.10.2.15_amd64.deb

    $ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-server_21.10.2.15_all.deb

    $ wget –no-check-certificate https://github.com/ClickHouse/ClickHouse/releases/download/v21.10.2.15-stable/clickhouse-test_21.10.2.15_all.deb
  4. Install or Upgrade ClickHouse packages$ chmod +x *.deb

    $ sudo apt install /home/arunkl/ClickHouse/*.debInstall or Upgrade ClickHouse packages
  5. Check the version of the ClickHouse after upgradeRun this command to check the version of ClickHouse.

    $ sudo apt list clickhouse-client clickhouse-serverCheck the version of the ClickHouse after upgrade

Leave a Reply

Your email address will not be published. Required fields are marked *