A heap out-of-bounds read in ClickHouse can allow an authenticated network attacker to perform information leakage and denial of service
ClickHouse (, 21.10.2.15), fixed in 21.10.2.15
A low-privileged authenticated network attacker can trigger this issue by sending crafted LZ4 data in a decompression request.
Accessing memory outside of the buffer’s bounds can expose sensitive information or lead in certain cases to a crash of the application due to segmentation fault.
As part of the LZ4::decompressImpl() loop
, a 16-bit unsigned user-supplied value (offset
) is read from the compressed_data
. it is subtracted from the current op and stored in match pointer (op is a pointer that starts as dest and moves forward). There is no verification that the match pointer is not smaller than dest. Later, there’s a copy operation from match to output pointer - possibly copying out of bounds memory from before the dest
memory buffer.
CVE-2021-42387 is a similar vulnerability to CVE-2021-42388, which exceeds the upper bounds of the compressed buffer (source) as part of the copy operation.
No PoC is supplied for this issue
No mitigations are provided for this vulnerability.
In order to fully fix this vulnerability, we recommend upgrading ClickHouse to version 21.10.2.15.
(JFrog) Security Vulnerabilities Found in ClickHouse Open-Source Software