Candidate: CVE-2021-42387
PublicDate: 2022-03-14 23:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42387
 https://github.com/ClickHouse/ClickHouse/commit/2aea1c8d4a5be320365472052d8a48bf69fd9fe9 (v21.9.1.7685)
 https://github.com/ClickHouse/ClickHouse/commit/6d83eacec42c7c403c99804a713a9d38caa4a45d (v21.9.1.7685)
 https://github.com/ClickHouse/ClickHouse/pull/27136
 https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms/
Description:
 Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing
 a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit
 unsigned user-supplied value ('offset') is read from the compressed data.
 The offset is later used in the length of a copy operation, without
 checking the upper bounds of the source of the copy operation.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008216
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H [8.1 HIGH]


Patches_clickhouse:
upstream_clickhouse: needs-triage
trusty_clickhouse: ignored (out of standard support)
xenial_clickhouse: ignored (out of standard support)
focal_clickhouse: needs-triage
impish_clickhouse: needs-triage