The JFrog Security research team recently discovered seven new vulnerabilities in ClickHouse, a widely used open source database management system (DBMS) used for online analytical processing (OLAP). ClickHouse was created by Yandex for Yandex.Metrica develops a web analytics tool that is often used to obtain visual reports and video recordings of user actions, as well as track website traffic to evaluate the effectiveness of online and offline advertising. The JFrog Security Team has exposed these vulnerabilities and worked with the ClickHouse operators to verify the fixes.
The vulnerabilities require authentication, but can be exploited by any user with read permissions. This means that the attacker must spy on the target of the ClickHouse server in order to obtain valid credentials. Any set of credentials is enough, because even a user with the lowest permissions can trigger all vulnerabilities. By triggering the vulnerabilities, an attacker could crash the ClickHouse server, leak memory contents, or even cause remote code execution (RCE).
The following are the seven vulnerabilities discovered by the JFrog Security Team:
- CVE-2021-43304 and CVE-2021-43305: Heap buffer overflow vulnerabilities in LZ4 compression codec
- CVE-2021-42387 and CVE-2021-42388: Heap-out-of-bounds read vulnerabilities in the LZ4 compression codec
- CVE-2021-42389: Divide-by-zero vulnerability in delta compression codec
- CVE-2021-42390: Divide-by-zero vulnerability in delta double compression codec
- CVE-2021-42391: Divide-by-zero vulnerability in Gorilla compression codec
CVE-2021-42388 and CVE-2021-42387
With these two vulnerabilities, a copy operation is performed from the match pointer to the output pointer, possibly copying memory outside the range in front of the “dest” memory buffer. Accessing memory outside the bounds of the buffer can reveal sensitive information or, in certain cases, cause the application to crash due to a segmentation fault. CVE-2021-42387 is a similar vulnerability to CVE-2021-42388 that exceeds the upper bounds of the compressed buffer (source) as part of the copy operation.
CVE-2021-42389, CVE-2021-42390 and CVE-2021-42391
These are “divide-by-zero” vulnerabilities in various codecs supported by ClickHouse. They are based on the fact that the first byte of the compressed buffer is set to zero. The decompression code reads the first byte of the compressed buffer and thus performs a modulo operation to obtain the rest. In most cases, the modulo operation in Intel x86-64 is performed by a DIV command that not only divides the numbers, but also stores the rest in a register. These vulnerabilities were found by “smart fuzzing” the decompression mechanism. Smart Fuzzing uses the knowledge of the input format to generate input data that adheres (relatively) to the expected protocol scheme, instead of completely random data.
Fixing the vulnerabilities
To fix these problems, ClickHouse needs to be updated to version v220.127.116.11-stable or higher. If an upgrade is not possible, firewall rules must be added to the server that restrict access to the web port (8123) and the TCP server port (9000) only to certain clients. JFrog products are not vulnerable to this problem because they do not use the ClickHouse DBMS. In addition to detecting new vulnerabilities and threats, JFrog provides developers and security teams with easy access to the latest relevant information for their software – including the use of PJSIP open source library versions and associated CVEs – through automatic security scanning using the JFrog Xray SCA tool.