Researchers have found seven new security vulnerabilities in an open-source database management system solution called ClickHouse. The vulnerabilities could be exploited to strike the servers, leak memory contents, and execute arbitrary code.
“The vulnerabilities require authentication, but can be triggered by any user with read permissions,” Uriya Yavnieli and Or Peles, researchers from DevSecOps firm JFrog, said in a report published Tuesday.
“This means the attacker must perform reconnaissance on the specific ClickHouse server target to obtain valid credentials. Any set of credentials would do, since even a user with the lowest privileges can trigger all of the vulnerabilities.”
The seven flaws are listed below:
CVE-2021-43304 and CVE-2021-43305 (CVSS scores: 8.8)— Heap buffer overflow vulnerabilities in the LZ4 compression codec could contribute to executing the code remotely.
CVE-2021-42387 and CVE-2021-42388 (CVSS scores: 7.1)— Heap out-of-bounds read flaws in the LZ4 compression codec that may lead to DOS or information hacking
CVE-2021-42389 (CVSS score: 6.5) – A divide-by-zero flaw in the Delta compression codec that could result in a denial-of-service condition
CVE-2021-42390 (CVSS score: 6.5) – A divide-by-zero flaw in the DeltaDouble compression codec that could result in a denial-of-service condition
CVE-2021-42391 (CVSS score: 6.5) – A divide-by-zero flaw in the Gorilla compression codec that could result in a denial-of-service condition
An attacker can exploit any of the above flaws through a specially crafted compressed file to attack a vulnerable database server. ClickHous users are advised to update to version “v22.214.171.124-stable” or later to weaken the issues.
The report comes a month after JFrog revealed details of a high-security vulnerability in Apache Cassandra (CVE-2021-44521, CVSS score: 8.4), and if the vulnerability wasn’t patched, the vulnerability could be used for executing codes remotely (RCE) on affected systems.