Source: clickhouse
Version: 18.16.1+ds-7.2
Severity: important
Tags: security
X-Debbugs-Cc: codeh...@debian.org, Debian Security Team
<t...@security.debian.org>
Hi,
The following vulnerabilities were published for clickhouse.
The vulnerabilities require authentication, but can be triggered by any user
with read
permissions. This means the attacker must perform reconnaissance on the
specific ClickHouse
server target to obtain valid credentials. Any set of credentials would do,
since even a
user with the lowest privileges can trigger all of the vulnerabilities. By
triggering the
vulnerabilities, an attacker can crash the ClickHouse server, leak memory
contents or even
cause remote code execution.
CVE-2021-42387[0]:
| Heap out-of-bounds read in Clickhouse's LZ4 compression codec when
| parsing a malicious query. As part of the LZ4::decompressImpl() loop,
| a 16-bit unsigned user-supplied value ('offset') is read from the
| compressed data. The offset is later used in the length of a copy
| operation, without checking the upper bounds of the source of the copy
| operation.
CVE-2021-42388[1]:
| Heap out-of-bounds read in Clickhouse's LZ4 compression codec when
| parsing a malicious query. As part of the LZ4::decompressImpl() loop,
| a 16-bit unsigned user-supplied value ('offset') is read from the
| compressed data. The offset is later used in the length of a copy
| operation, without checking the lower bounds of the source of the copy
| operation.
CVE-2021-43304[2]:
| Heap buffer overflow in Clickhouse's LZ4 compression codec when
| parsing a malicious query. There is no verification that the copy
| operations in the LZ4::decompressImpl loop and especially the
| arbitrary copy operation wildCopy<copy_amount>(op, ip,
| copy_end), don&#8217;t exceed the destination buffer&#8217;s
| limits.
CVE-2021-43305[3]:
| Heap buffer overflow in Clickhouse's LZ4 compression codec when
| parsing a malicious query. There is no verification that the copy
| operations in the LZ4::decompressImpl loop and especially the
| arbitrary copy operation wildCopy<copy_amount>(op, ip,
| copy_end), don&#8217;t exceed the destination buffer&#8217;s
| limits. This issue is very similar to CVE-2021-43304, but the
| vulnerable copy operation is in a different wildCopy call.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-42387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42387
[1] https://security-tracker.debian.org/tracker/CVE-2021-42388
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42388
[2] https://security-tracker.debian.org/tracker/CVE-2021-43304
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43304
[3] https://security-tracker.debian.org/tracker/CVE-2021-43305
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43305
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.16.0-5-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
