CVE-2024-23689 – This vulnerability exposes client certificate p... (How to Fix)

Q: What is the severity of CVE-2024-23689?

CVE-2024-23689 has a CVSS score of 8.8 (HIGH). This vulnerability exposes client certificate passwords in exception logs when SSL authentication fails in ClickHouse Java clients. Attackers who can access application logs can steal sensitive credentials. Affects organizations using ClickHouse Java clients with SSL client certificate authentication.

📋 TL;DR

This vulnerability exposes client certificate passwords in exception logs when SSL authentication fails in ClickHouse Java clients. Attackers who can access application logs can steal sensitive credentials. Affects organizations using ClickHouse Java clients with SSL client certificate authentication.

💻 Affected Systems

Products:

clickhouse-r2dbc
com.clickhouse:clickhouse-jdbc
com.clickhouse:clickhouse-client

Versions: All versions less than 0.4.6

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using SSL client certificate authentication (sslkey parameter) and exception logging is enabled.

📦 What is this software?

Java Libraries by Clickhouse

View all CVEs affecting Java Libraries →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain client certificate passwords, impersonate legitimate users, access sensitive database data, and potentially pivot to other systems using stolen credentials.

🟠

Likely Case

Unauthorized access to database contents, data exfiltration, and credential theft from accessible application logs.

🟢

If Mitigated

Limited impact if logs are properly secured with restricted access and monitoring, though credentials remain exposed in log storage.

🌐 Internet-Facing: MEDIUM - Requires access to application logs which may be exposed through misconfigurations or logging services.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts with log access can easily exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to application logs where exceptions are recorded. No authentication needed once log access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.6

Vendor Advisory: https://github.com/ClickHouse/clickhouse-java/security/advisories/GHSA-g8ph-74m6-8m7r

Restart Required: Yes

Instructions:

1. Update all ClickHouse Java client dependencies to version 0.4.6 or higher. 2. Update pom.xml or build.gradle to use fixed versions. 3. Rebuild and redeploy applications. 4. Restart any running services using affected clients.

🔧 Temporary Workarounds

Disable detailed exception logging

all

Configure logging frameworks to exclude sensitive exception details from logs

Configure logback.xml or log4j2.xml to filter out ClickHouseException/SQLException messages
Set logging level to ERROR or higher for affected packages

Restrict log access

linux

Implement strict access controls and encryption for application logs

chmod 600 /var/log/application/*
Implement log encryption at rest
Use centralized logging with RBAC

🧯 If You Can't Patch

Disable SSL client certificate authentication and use alternative authentication methods
Implement real-time log monitoring and alerting for credential exposure patterns

🔍 How to Verify

Check if Vulnerable:

Check dependency versions in pom.xml, build.gradle, or manifest files for clickhouse-java components below 0.4.6

Check Version:

mvn dependency:tree | grep clickhouse OR gradle dependencies | grep clickhouse

Verify Fix Applied:

Verify all clickhouse-java dependencies are at version 0.4.6 or higher and test SSL authentication with intentional failures to confirm passwords are not logged

📡 Detection & Monitoring

Log Indicators:

Exception messages containing 'sslkey' or certificate password strings
ClickHouseException or SQLException logs with password-like patterns

Network Indicators:

Unusual database access patterns following log access events

SIEM Query:

source="application.log" AND ("ClickHouseException" OR "SQLException") AND ("sslkey" OR "password=" OR regex(password_pattern))

📊 Metadata

CVE ID: CVE-2024-23689

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-209

Published: January 19, 2024

Last Updated: November 29, 2025

🔗 References

https://github.com/ClickHouse/clickhouse-java/issues/1331 Exploit,Issue Tracking
https://github.com/ClickHouse/clickhouse-java/pull/1334 Issue Tracking,Patch
https://github.com/ClickHouse/clickhouse-java/releases/tag/v0.4.6 Release Notes
https://github.com/ClickHouse/clickhouse-java/security/advisories/GHSA-g8ph-74m6-8m7r Vendor Advisory
https://github.com/advisories/GHSA-g8ph-74m6-8m7r Third Party Advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-g8ph-74m6-8m7r Third Party Advisory
https://github.com/ClickHouse/clickhouse-java/issues/1331 Exploit,Issue Tracking
https://github.com/ClickHouse/clickhouse-java/pull/1334 Issue Tracking,Patch
https://github.com/ClickHouse/clickhouse-java/releases/tag/v0.4.6 Release Notes
https://github.com/ClickHouse/clickhouse-java/security/advisories/GHSA-g8ph-74m6-8m7r Vendor Advisory
https://github.com/advisories/GHSA-g8ph-74m6-8m7r Third Party Advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-g8ph-74m6-8m7r Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23689, you might also want to check these: