A divide-by-zero in ClickHouse's Gorilla compression codec can allow an authenticated network attacker to perform denial of service
ClickHouse (, 220.127.116.11), fixed in 18.104.22.168
A low-privileged authenticated network attacker can trigger this issue by sending crafted compressed data to ClickHouse. Triggering the issue will crash the ClickHouse process, causing denial of service.
The ClickHouse decompression code reads the first byte of the compressed buffer and performs a modulo operation with it to get the remainder:
UInt8 bytes_size = source; UInt8 bytes_to_skip = uncompressed_size % bytes_size;
bytes_size is 0, it will end up dividing by zero.
No PoC is supplied for this issue
No mitigations are provided for this vulnerability.
In order to fully fix this vulnerability, we recommend upgrading ClickHouse to version 22.214.171.124.
(JFrog) Security Vulnerabilities Found in ClickHouse Open-Source Software