CVE-2023-47118: 
NixOS vulnerability analysis and mitigation

A heap buffer overflow vulnerability (CVE-2023-47118) was discovered in ClickHouse server, an open-source column-oriented database management system. The vulnerability was disclosed on December 20, 2023. The issue affects multiple versions of ClickHouse, including versions prior to 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts, and 23.3.16.7-lts (NVD, GitHub Advisory).

The vulnerability is a heap buffer overflow in the decompression logic of the T64 codec. It received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST and 7.0 (HIGH) from GitHub. The vulnerability is classified as CWE-787 (Out-of-bounds Write) by NIST and CWE-122 (Heap-based Buffer Overflow) by GitHub (NVD).

An attacker can send a specially crafted payload to the native interface (exposed by default on port 9000/tcp) to trigger the vulnerability, resulting in a crash of the ClickHouse server process. The vulnerability can also be exploited via HTTP protocol, though this requires valid authentication credentials (GitHub Advisory).

The vulnerability has been fixed in versions 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts, and 23.3.16.7-lts. As a temporary workaround, users are advised to block native port access and switch to HTTP protocol to reduce exposure before upgrading to supported versions (GitHub Advisory).