CVE-2021-43304 – CVE-2021-43304 is a heap buffer overflow vulner... (How to Fix)

Q: What is the severity of CVE-2021-43304?

CVE-2021-43304 has a CVSS score of 8.8 (HIGH). CVE-2021-43304 is a heap buffer overflow vulnerability in ClickHouse's LZ4 compression codec that allows attackers to execute arbitrary code or cause denial of service by sending malicious queries. This affects ClickHouse database servers with the vulnerable compression codec enabled. Attackers can exploit this remotely without authentication.

📋 TL;DR

CVE-2021-43304 is a heap buffer overflow vulnerability in ClickHouse's LZ4 compression codec that allows attackers to execute arbitrary code or cause denial of service by sending malicious queries. This affects ClickHouse database servers with the vulnerable compression codec enabled. Attackers can exploit this remotely without authentication.

💻 Affected Systems

Products:

ClickHouse

Versions: All versions before 21.10.2.15, 21.11.2.2, 21.12.2.1

Operating Systems: All operating systems running ClickHouse

Default Config Vulnerable: ⚠️ Yes

Notes: Affects ClickHouse servers with LZ4 compression codec enabled (default configuration).

📦 What is this software?

Clickhouse by Clickhouse

View all CVEs affecting Clickhouse →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service causing database crashes and service disruption.

🟢

If Mitigated

Limited impact if network segmentation and query validation are implemented.

🌐 Internet-Facing: HIGH - Exploitable remotely without authentication via malicious queries.

🏢 Internal Only: HIGH - Even internal attackers can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public technical details available in the JFrog blog post. Exploitation requires sending specially crafted queries to vulnerable ClickHouse instances.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.10.2.15, 21.11.2.2, 21.12.2.1 or later

Vendor Advisory: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-5rqg-4jv3-7whv

Restart Required: Yes

Instructions:

1. Identify current ClickHouse version. 2. Upgrade to patched version using official package manager. 3. Restart ClickHouse service. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Disable LZ4 compression codec

all

Temporarily disable the vulnerable LZ4 compression codec to prevent exploitation.

Modify ClickHouse configuration to remove or disable LZ4 codec support

Network access restrictions

linux

Restrict network access to ClickHouse ports (default 8123, 9000) to trusted sources only.

iptables -A INPUT -p tcp --dport 8123 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 8123 -j DROP
iptables -A INPUT -p tcp --dport 9000 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit ClickHouse access to trusted IPs only.
Deploy web application firewall (WAF) or intrusion prevention system (IPS) with rules to detect and block malicious LZ4 compression patterns.

🔍 How to Verify

Check if Vulnerable:

Check ClickHouse version: SELECT version()

Check Version:

clickhouse-client --query 'SELECT version()'

Verify Fix Applied:

Verify version is 21.10.2.15, 21.11.2.2, 21.12.2.1 or later: SELECT version()

📡 Detection & Monitoring

Log Indicators:

Unexpected crashes or segmentation faults in ClickHouse logs
Unusual query patterns with LZ4 compression

Network Indicators:

Malformed queries to ClickHouse HTTP/HTTPS ports (8123) or native protocol port (9000)

SIEM Query:

source="clickhouse.log" AND ("segmentation fault" OR "buffer overflow" OR "LZ4")

📊 Metadata

CVE ID: CVE-2021-43304

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: March 14, 2022

Last Updated: June 25, 2025

🔗 References

https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00002.html Mailing List,Third Party Advisory
https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00002.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43304, you might also want to check these: