Skip to content

Unauthenticated heap buffer overflow in Gorrila codec decompression

High
santrancisco published GHSA-5rmf-5g48-xv63 Dec 18, 2023

Package

ClickHouse Cloud (ClickHouse Cloud)

Affected versions

< v23.9.2.47551

Patched versions

v23.9.2.47551
ClickHouse v23.10 (ClickHouse v23.10)
< v23.10.5.20
v23.10.5.20
ClickHouse v23.3 (ClickHouse v23.3)
< v23.3.18.15
v23.3.18.15
ClickHouse v23.8 (ClickHouse v23.8)
< v23.8.8.20
v23.8.8.20
ClickHouse v23.9 (ClickHouse v23.9)
< v23.9.6.20
v23.9.6.20

Description

Impact

A heap buffer overflow issue was discovered in ClickHouse server. An attacker could send a specially crafted payload to the native interface exposed by default on port 9000/tcp, triggering a bug in the decompression logic of Gorilla codec that crashes the ClickHouse server process. This attack does not require authentication.

Patches

The issue have been addressed in ClickHouse starting from the following versions: TBA

Workarounds

Affected users are advised to block native port access and temporary switch to HTTP protocol to reduce the exposure before they can upgrade to supported versions.

Backport

If you are maintaining your own forked version of ClickHouse. The fix for this vulnerability can be found in this pull request.

Severity

High
7.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

CVE ID

CVE-2023-48704

Weaknesses

No CWEs

Credits