CVE-2021-42387
Published: 14 March 2022
Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the upper bounds of the source of the copy operation.
Priority
Status
Package | Release | Status |
---|---|---|
clickhouse
Launchpad, Ubuntu, Debian |
focal |
Released
(18.16.1+ds-7ubuntu0.1)
|
impish |
Ignored
(end of life)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Ignored
(end of life, was needs-triage)
|
|
noble |
Not vulnerable
(18.16.1+ds-7.4build2)
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Released
(18.16.1+ds-7.4)
|
|
xenial |
Ignored
(end of standard support)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
References
- https://github.com/ClickHouse/ClickHouse/commit/2aea1c8d4a5be320365472052d8a48bf69fd9fe9 (v21.9.1.7685)
- https://github.com/ClickHouse/ClickHouse/commit/6d83eacec42c7c403c99804a713a9d38caa4a45d (v21.9.1.7685)
- https://github.com/ClickHouse/ClickHouse/pull/27136
- https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms/
- https://www.cve.org/CVERecord?id=CVE-2021-42387
- https://ubuntu.com/security/notices/USN-6933-1
- NVD
- Launchpad
- Debian