CVE-2023-47118
📋 TL;DR
A heap buffer overflow vulnerability exists in ClickHouse's T64 codec decompression logic. Unauthenticated attackers can send specially crafted payloads to the native interface (port 9000/tcp) to crash the ClickHouse server process, causing denial of service. All ClickHouse servers with vulnerable versions exposed to untrusted networks are affected.
💻 Affected Systems
- ClickHouse
📦 What is this software?
Clickhouse by Clickhouse
Clickhouse by Clickhouse
Clickhouse by Clickhouse
Clickhouse by Clickhouse
Clickhouse Cloud by Clickhouse
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through server crash, potentially leading to data corruption or loss if crashes occur during critical operations.
Likely Case
Denial of service through server crashes, disrupting analytical queries and real-time reporting capabilities.
If Mitigated
Minimal impact if servers are patched or network-restricted; authenticated HTTP exploitation requires valid credentials.
🎯 Exploit Status
Exploitation via native interface requires no authentication; HTTP exploitation requires valid credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts, or 23.3.16.7-lts
Vendor Advisory: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v
Restart Required: Yes
Instructions:
1. Identify current ClickHouse version. 2. Upgrade to a patched version using your package manager (apt/yum) or download from official repository. 3. Restart ClickHouse service.
🔧 Temporary Workarounds
Network Restriction
linuxBlock access to port 9000/tcp from untrusted networks using firewall rules.
sudo iptables -A INPUT -p tcp --dport 9000 -s trusted_network -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 9000 -j DROP
Disable Native Interface
allConfigure ClickHouse to disable the native interface if not required.
Edit /etc/clickhouse-server/config.xml and set <listen_host> to localhost or remove native protocol configuration
🧯 If You Can't Patch
- Implement strict network access controls to limit port 9000/tcp to trusted sources only.
- Monitor for crash events and implement automated restart mechanisms to maintain availability.
🔍 How to Verify
Check if Vulnerable:
Check ClickHouse version; if below patched versions and native interface is accessible, system is vulnerable.Check Version:
clickhouse-client --query 'SELECT version()'Verify Fix Applied:
Confirm version is 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts, or 23.3.16.7-lts or higher.📡 Detection & Monitoring
Log Indicators:
- ClickHouse process crashes in system logs
- Segmentation fault errors in ClickHouse logs
Network Indicators:
- Unusual traffic patterns to port 9000/tcp from untrusted sources
- Malformed payloads in network captures
SIEM Query:
source="clickhouse.log" AND ("segmentation fault" OR "crash" OR "SIGSEGV")