CVE-2021-43305: 
NixOS vulnerability analysis and mitigation

A heap buffer overflow vulnerability (CVE-2021-43305) was discovered in ClickHouse's LZ4 compression codec when parsing malicious queries. The vulnerability affects ClickHouse versions prior to v21.10.2.15-stable and requires authentication but can be triggered by any user with read permissions, even those with the lowest privileges (JFrog Blog).

The vulnerability occurs in the LZ4::decompressImpl loop where there is no verification that the copy operations, specifically the arbitrary copy operation wildCopy(op, ip, copy_end), don't exceed the destination buffer's limits. The issue is similar to CVE-2021-43304 but involves a different wildCopy call. The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, JFrog Blog).

If successfully exploited, this vulnerability could allow an attacker to crash the ClickHouse server, leak memory contents, or potentially achieve remote code execution (RCE). The vulnerability's high severity rating indicates significant potential impact on the confidentiality, integrity, and availability of the affected system (JFrog Blog).

Users are advised to update ClickHouse to version v21.10.2.15-stable or later to address this vulnerability. If upgrading is not immediately possible, it is recommended to add firewall rules in the server that restrict access to the web port (8123) and the TCP server's port (9000) to specific clients only (JFrog Blog).