Critical Vulnerability Information 7 RCE and DoS Vulnerabilities Found in ClickHouse DBMS Date: March 15, 2022 Author: Oriya Yavniveli, JFrog Security Research Team Leader Vulnerability Details CVE-2021-43304 and CVE-2021-43305: Heap buffer overflow vulnerabilities in LZ4 decompression. CVE-2021-42387 and CVE-2021-42388: Heap out-of-bounds read vulnerabilities in LZ4 history bucket decoding. CVE-2021-42389: Division-by-zero vulnerability in Delta decompression. CVE-2021-42390: Division-by-zero vulnerability in DeltaDouble decompression. CVE-2021-42391: Division-by-zero vulnerability in Gorilla decompression. Vulnerability Impact Technical Background ClickHouse server allows users to compress queries. Exploitation CVE-2021-43304: Exploitation of heap buffer overflow. CVE-2021-42388 and CVE-2021-42387: Exploitation of heap out-of-bounds read. CVE-2021-42389, CVE-2021-42390, and CVE-2021-42391: Exploitation of division-by-zero vulnerabilities. Remediation and Mitigation Upgrade ClickHouse to version v21.10.2.15-stable or later. If upgrading is not possible, implement firewall rules to restrict access to ports 8123 and 9000. Conclusion JFrog products themselves are not affected by this vulnerability, as they do not use ClickHouse databases.