Trust Center

On March 29, 2024 a vulnerability was discovered in the xz-utils package that was reported as an SSH backdoor that enables remote code execution (RCE) (CVE-2024-3094). We immediately investigated the issue and determined ClickHouse Open Source and ClickHouse Cloud have no known exposure to this vulnerability.

ClickHouse Open Source

The following notice was posted in the public open source repository on March 30, 2024 (issue #62112).

ClickHouse is not affected. None of our releases are affected by this issue.

We are using the xz library to read and write compressed files for data import/export. The library's source code is pinned to an older version that does not include any offending commits or previous commits from the same people. And, similarly to every other dependency, we don't use the upstream packages or build system, and build every dependency from the source instead. Even if someone poisoned the build system or binaries of a dependent library, this is not going to affect us because we use neither build systems nor binaries.

ClickHouse Cloud

ClickHouse Cloud runs a unified cloud security platform that enables us to find, evaluate and respond to issues quickly. To exploit this vulnerability, systems must be running the vulnerable version of the xz-utils package and have SSH exposed to the internet. Based on these factors, we reviewed our systems and believe we have no known exposure to this vulnerability.

Additionally, we are actively working to evaluate our critical vendors to understand their posture and whether any action is required on our part. So far, both AWS and GCP have issued statements indicating their systems are not affected. For more information, please review their security bulletins:

• AWS-2024-002
• GCP-2024-021

We are continuing to track progress of this issue and will update this notification if there are any changes.