Overview
Welcome to ClickHouse's Trust Center. Our commitment to data privacy and security is embedded in every part of our business. Use this Trust Center to learn about our security posture and request access to our security documentation.
Compliance
Documents
Risk Profile
Product Security
Reports
Data Security
App Security
Legal
Data Privacy
Access Control
Infrastructure
Endpoint Security
Network Security
Corporate Security
Policies
Security Grades
Knowledge Base
- Federal: Is there a ClickHouse version that is secured for US Federal compliance?
- PCI: Can I use ClickHouse Cloud to store credit card numbers for analysis?
- HIPAA: Is ClickHouse Cloud HIPAA compliant?
Trust Center Updates
On March 29, 2024 a vulnerability was discovered in the xz-utils package that was reported as an SSH backdoor that enables remote code execution (RCE) (CVE-2024-3094). We immediately investigated the issue and determined ClickHouse Open Source and ClickHouse Cloud have no known exposure to this vulnerability.
ClickHouse Open Source
The following notice was posted in the public open source repository on March 30, 2024 (issue #62112).
ClickHouse is not affected. None of our releases are affected by this issue.
We are using the xz library to read and write compressed files for data import/export. The library's source code is pinned to an older version that does not include any offending commits or previous commits from the same people. And, similarly to every other dependency, we don't use the upstream packages or build system, and build every dependency from the source instead. Even if someone poisoned the build system or binaries of a dependent library, this is not going to affect us because we use neither build systems nor binaries.
ClickHouse Cloud
ClickHouse Cloud runs a unified cloud security platform that enables us to find, evaluate and respond to issues quickly. To exploit this vulnerability, systems must be running the vulnerable version of the xz-utils package and have SSH exposed to the internet. Based on these factors, we reviewed our systems and believe we have no known exposure to this vulnerability.
Additionally, we are actively working to evaluate our critical vendors to understand their posture and whether any action is required on our part. So far, both AWS and GCP have issued statements indicating their systems are not affected. For more information, please review their security bulletins:
We are continuing to track progress of this issue and will update this notification if there are any changes.
If you think you may have discovered a vulnerability, please send us a note.