JFrog Security Research

XRAY-199947 - ClickHouse Divide-by-zero DoS

CVE-2021-42390 | CVSS 6.5

JFrog Severity:medium

Published 15 Mar. 2022 | Last updated 15 Mar. 2022

A divide-by-zero in ClickHouse's DoubleDelta compression codec can allow an authenticated network attacker to perform denial of service

ClickHouse

ClickHouse (, 21.10.2.15), fixed in 21.10.2.15

A low-privileged authenticated network attacker can trigger this issue by sending crafted compressed data to ClickHouse. Triggering the issue will crash the ClickHouse process, causing denial of service.

The ClickHouse decompression code reads the first byte of the compressed buffer and performs a modulo operation with it to get the remainder:

UInt8 bytes_size = source[0];
UInt8 bytes_to_skip = uncompressed_size % bytes_size;

In case bytes_size is 0, it will end up dividing by zero.

No PoC is supplied for this issue

No mitigations are provided for this vulnerability.

In order to fully fix this vulnerability, we recommend upgrading ClickHouse to version 21.10.2.15.

(JFrog) Security Vulnerabilities Found in ClickHouse Open-Source Software

NVD