CVE-2023-47118

Name of the Vulnerable Software and Affected Versions ClickHouse versions prior to 23.10.2.13-stable ClickHouse versions prior to 23.9.4.11-stable ClickHouse versions prior to 23.8.6.16-lts ClickHouse versions prior to 23.3.16.7-lts

Description A heap buffer overflow issue was discovered in the ClickHouse server, allowing an attacker to send a specially crafted payload to the native interface exposed by default on port 9000/tcp. This triggers a bug in the decompression logic of the T64 codec, causing the ClickHouse server process to crash. The attack does not require authentication, but if triggered via HTTP protocol, a valid credential is needed as HTTP authentication takes place first.

Recommendations For versions prior to 23.10.2.13-stable, update to version 23.10.2.13-stable or later. For versions prior to 23.9.4.11-stable, update to version 23.9.4.11-stable or later. For versions prior to 23.8.6.16-lts, update to version 23.8.6.16-lts or later. For versions prior to 23.3.16.7-lts, update to version 23.3.16.7-lts or later. As a temporary workaround, consider restricting access to the native interface on port 9000/tcp to minimize the risk of exploitation.