Source: clickhouse X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for clickhouse. CVE-2023-48298[0]: | ClickHouse® is an open-source column-oriented database management | system that allows generating analytical data reports in real-time. | This vulnerability is an integer underflow resulting in crash due to | stack buffer overflow in decompression of FPC codec. It can be | triggered and exploited by an unauthenticated attacker. The | vulnerability is very similar to CVE-2023-47118 with how the | vulnerable function can be exploited. https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938 https://github.com/ClickHouse/ClickHouse/pull/56795 CVE-2023-47118[1]: | ClickHouse® is an open-source column-oriented database management | system that allows generating analytical data reports in real-time. | A heap buffer overflow issue was discovered in ClickHouse server. An | attacker could send a specially crafted payload to the native | interface exposed by default on port 9000/tcp, triggering a bug in | the decompression logic of T64 codec that crashes the ClickHouse | server process. This attack does not require authentication. Note | that this exploit can also be triggered via HTTP protocol, however, | the attacker will need a valid credential as the HTTP authentication | take places first. This issue has been fixed in version | 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts and | 23.3.16.7-lts. https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v CVE-2022-44011[2]: | An issue was discovered in ClickHouse before 22.9.1.2603. An | authenticated user (with the ability to load data) could cause a | heap buffer overflow and crash the server by inserting a malformed | CapnProto object. The fixed versions are 22.9.1.2603, 22.8.2.11, | 22.7.4.16, 22.6.6.16, and 22.3.12.19. https://github.com/ClickHouse/ClickHouse/pull/40241 CVE-2022-44010[3]: | An issue was discovered in ClickHouse before 22.9.1.2603. An | attacker could send a crafted HTTP request to the HTTP Endpoint | (usually listening on port 8123 by default), causing a heap-based | buffer overflow that crashes the process. This does not require | authentication. The fixed versions are 22.9.1.2603, 22.8.2.11, | 22.7.4.16, 22.6.6.16, and 22.3.12.19. https://github.com/ClickHouse/ClickHouse/pull/40292 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-48298 https://www.cve.org/CVERecord?id=CVE-2023-48298 [1] https://security-tracker.debian.org/tracker/CVE-2023-47118 https://www.cve.org/CVERecord?id=CVE-2023-47118 [2] https://security-tracker.debian.org/tracker/CVE-2022-44011 https://www.cve.org/CVERecord?id=CVE-2022-44011 [3] https://security-tracker.debian.org/tracker/CVE-2022-44010 https://www.cve.org/CVERecord?id=CVE-2022-44010 Please adjust the affected versions in the BTS as needed.