Unauthenticated heap buffer overflow in Gorrila codec decompression
Package
ClickHouse Cloud
(ClickHouse Cloud)
Affected versions
< v23.9.2.47551
Patched versions
v23.9.2.47551
ClickHouse v23.10
(ClickHouse v23.10)
< v23.10.5.20
v23.10.5.20
ClickHouse v23.3
(ClickHouse v23.3)
< v23.3.18.15
v23.3.18.15
ClickHouse v23.8
(ClickHouse v23.8)
< v23.8.8.20
v23.8.8.20
ClickHouse v23.9
(ClickHouse v23.9)
< v23.9.6.20
v23.9.6.20
Impact
A heap buffer overflow issue was discovered in ClickHouse server. An attacker could send a specially crafted payload to the native interface exposed by default on port 9000/tcp, triggering a bug in the decompression logic of Gorilla codec that crashes the ClickHouse server process. This attack does not require authentication.
Patches
The issue have been addressed in ClickHouse starting from the following versions: TBA
Workarounds
Affected users are advised to block native port access and temporary switch to HTTP protocol to reduce the exposure before they can upgrade to supported versions.
Backport
If you are maintaining your own forked version of ClickHouse. The fix for this vulnerability can be found in this pull request.