Overview
Over the previous weeks, Aiven had received a private notification of an upcoming public disclosure related to ClickHouse - CVE-2024-6873. This vulnerability could allow an attacker to send a specially crafted request to the ClickHouse server native interface, potentially redirecting the execution flow or crashing the server process. At this time there are no known proof-of-concepts for remote code execution.
Details on the CVE can be found here:
https://clickhouse.com/docs/en/whats-new/security-changelog
Is Aiven Affected?
Aiven’s platform is no longer affected by this vulnerability.
Upon private disclosure, we incorporated the recommended fix into our deployment pipeline. All current and future ClickHouse deployments are unaffected by this vulnerability.
References
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-432f-r822-j66f
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6873