CVE-2021-42391 in Clickhouse
Summary
by MITRE • 03/15/2022
Divide-by-zero in Clickhouse's Gorilla compression codec when parsing a malicious query. The first byte of the compressed buffer is used in a modulo operation without being checked for 0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/25/2025
The vulnerability identified as CVE-2021-42391 represents a critical divide-by-zero error within the ClickHouse database management system's Gorilla compression codec implementation. This flaw manifests when the system processes maliciously crafted queries that exploit a fundamental mathematical operation error in the decompression routine. The core issue occurs when the first byte of a compressed data buffer is utilized in a modulo operation without proper validation to ensure it is not zero, creating a condition where the divisor becomes zero and triggers an arithmetic exception.
The technical implementation of this vulnerability resides in the compression algorithm's decompression logic where the system assumes all compressed data buffers maintain valid mathematical properties. When parsing compressed data, the code extracts the first byte to determine a scaling factor or parameter for decompression calculations. However, the absence of validation for this byte value means that if it equals zero, the subsequent modulo operation results in a division by zero error that crashes the database process. This type of error falls under CWE-369, which specifically addresses the divide-by-zero vulnerability pattern, and represents a classic example of improper input validation in cryptographic or compression routines.
The operational impact of this vulnerability extends beyond simple service disruption as it can be exploited to cause denial-of-service conditions in production ClickHouse environments. Attackers can craft malicious queries that specifically target this divide-by-zero condition, potentially leading to complete system crashes and unavailability of database services. The vulnerability affects systems where ClickHouse processes external data inputs or user queries that may contain maliciously formatted compressed data, making it particularly dangerous in multi-tenant environments or systems that accept untrusted data inputs. This weakness can also potentially be leveraged as a stepping stone for more sophisticated attacks, as the system crash may provide opportunities for information disclosure or further exploitation.
Mitigation strategies for CVE-2021-42391 should prioritize immediate patch application from the ClickHouse vendor to address the root cause in the compression codec implementation. Organizations should implement input validation measures that check for zero values in compressed data buffers before any mathematical operations are performed. Network-level defenses can include query filtering mechanisms that identify and block suspicious query patterns that might trigger the divide-by-zero condition. Additionally, monitoring systems should be configured to detect unusual database process termination events or arithmetic exception occurrences that may indicate exploitation attempts. The vulnerability demonstrates the importance of proper error handling in compression algorithms and aligns with ATT&CK technique T1499.004 which covers network disruption through service availability attacks, making it a critical consideration for database security hardening efforts.