A divide-by-zero in ClickHouse's Gorilla compression codec can allow an authenticated network attacker to perform denial of service
ClickHouse (, 21.10.2.15), fixed in 21.10.2.15
A low-privileged authenticated network attacker can trigger this issue by sending crafted compressed data to ClickHouse. Triggering the issue will crash the ClickHouse process, causing denial of service.
The ClickHouse decompression code reads the first byte of the compressed buffer and performs a modulo operation with it to get the remainder:
UInt8 bytes_size = source[0];
UInt8 bytes_to_skip = uncompressed_size % bytes_size;
In case bytes_size
is 0, it will end up dividing by zero.
No PoC is supplied for this issue
No mitigations are provided for this vulnerability.
In order to fully fix this vulnerability, we recommend upgrading ClickHouse to version 21.10.2.15.
(JFrog) Security Vulnerabilities Found in ClickHouse Open-Source Software