clickhouse: CVE-2023-48298 CVE-2023-47118 CVE-2022-44011 CVE-2022-44010

Debian Bug report logs - #1059261
clickhouse: CVE-2023-48298 CVE-2023-47118 CVE-2022-44011 CVE-2022-44010

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: submit@bugs.debian.org

Subject: clickhouse: CVE-2023-48298 CVE-2023-47118 CVE-2022-44011 CVE-2022-44010

Date: Fri, 22 Dec 2023 10:08:13 +0100

Source: clickhouse
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for clickhouse.

CVE-2023-48298[0]:
| ClickHouse® is an open-source column-oriented database management
| system that allows generating analytical data reports in real-time.
| This vulnerability is an integer underflow resulting in crash due to
| stack buffer overflow in decompression of FPC codec. It can be
| triggered and exploited by an unauthenticated attacker. The
| vulnerability is very similar to CVE-2023-47118 with how the
| vulnerable function can be exploited.

https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938
https://github.com/ClickHouse/ClickHouse/pull/56795

CVE-2023-47118[1]:
| ClickHouse® is an open-source column-oriented database management
| system that allows generating analytical data reports in real-time.
| A heap buffer overflow issue was discovered in ClickHouse server. An
| attacker could send a specially crafted payload to the native
| interface exposed by default on port 9000/tcp, triggering a bug in
| the decompression logic of T64 codec that crashes the ClickHouse
| server process. This attack does not require authentication. Note
| that this exploit can also be triggered via HTTP protocol, however,
| the attacker will need a valid credential as the HTTP authentication
| take places first. This issue has been fixed in version
| 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts and
| 23.3.16.7-lts.

https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v

CVE-2022-44011[2]:
| An issue was discovered in ClickHouse before 22.9.1.2603. An
| authenticated user (with the ability to load data) could cause a
| heap buffer overflow and crash the server by inserting a malformed
| CapnProto object. The fixed versions are 22.9.1.2603, 22.8.2.11,
| 22.7.4.16, 22.6.6.16, and 22.3.12.19.

https://github.com/ClickHouse/ClickHouse/pull/40241

CVE-2022-44010[3]:
| An issue was discovered in ClickHouse before 22.9.1.2603. An
| attacker could send a crafted HTTP request to the HTTP Endpoint
| (usually listening on port 8123 by default), causing a heap-based
| buffer overflow that crashes the process. This does not require
| authentication. The fixed versions are 22.9.1.2603, 22.8.2.11,
| 22.7.4.16, 22.6.6.16, and 22.3.12.19.

https://github.com/ClickHouse/ClickHouse/pull/40292

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-48298
    https://www.cve.org/CVERecord?id=CVE-2023-48298
[1] https://security-tracker.debian.org/tracker/CVE-2023-47118
    https://www.cve.org/CVERecord?id=CVE-2023-47118
[2] https://security-tracker.debian.org/tracker/CVE-2022-44011
    https://www.cve.org/CVERecord?id=CVE-2022-44011
[3] https://security-tracker.debian.org/tracker/CVE-2022-44010
    https://www.cve.org/CVERecord?id=CVE-2022-44010

Please adjust the affected versions in the BTS as needed.

Send a report that this bug log contains spam.