Multiple Flaws Uncovered in ClickHouse OLAP Database System for Big Data
Mar 16, 2022
Researchers have disclosed seven new security vulnerabilities in an open-source database management system solution called ClickHouse that could be weaponized to crash the servers, leak memory contents, and even lead to the execution of arbitrary code. "The vulnerabilities require authentication, but can be triggered by any user with read permissions," Uriya Yavnieli and Or Peles, researchers from DevSecOps firm JFrog, said in a report published Tuesday. "This means the attacker must perform reconnaissance on the specific ClickHouse server target to obtain valid credentials. Any set of credentials would do, since even a user with the lowest privileges can trigger all of the vulnerabilities." The list of seven flaws is below – CVE-2021-43304 and CVE-2021-43305 (CVSS scores: 8.8) – Heap buffer overflow flaws in the LZ4 compression codec that could lead to remote code execution CVE-2021-42387 and CVE-2021-42388 (CVSS scores: 7.1) – Heap out-of-bounds read ...
