JFrog Security Research

XRAY-199963 - ClickHouse LZ4 OOB-R

CVE-2021-42387 | CVSS 7.1

JFrog Severity:medium

Published 15 Mar. 2022 | Last updated 15 Mar. 2022

A heap out-of-bounds read in ClickHouse can allow an authenticated network attacker to perform information leakage and denial of service

ClickHouse

ClickHouse (, 21.10.2.15), fixed in 21.10.2.15

A low-privileged authenticated network attacker can trigger this issue by sending crafted LZ4 data in a decompression request.

Accessing memory outside of the buffer’s bounds can expose sensitive information or lead in certain cases to a crash of the application due to segmentation fault.

As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value (offset) is read from the compressed_data. it is subtracted from the current op and stored in match pointer (op is a pointer that starts as dest and moves forward). There is no verification that the match pointer is not smaller than dest. Later, there’s a copy operation from match to output pointer - possibly copying out of bounds memory from before the dest memory buffer.

CVE-2021-42388 is a similar vulnerability to CVE-2021-42387, which exceeds the lower bounds of the compressed buffer (source) as part of the copy operation.

No PoC is supplied for this issue

No mitigations are provided for this vulnerability.

In order to fully fix this vulnerability, we recommend upgrading ClickHouse to version 21.10.2.15.

(JFrog) Security Vulnerabilities Found in ClickHouse Open-Source Software

NVD