The ch-go library is a Go package used for connecting to ClickHouse databases. It allows users to execute queries on the database server. The vulnerability in question occurs when an attacker can smuggle another query packet into the connection stream by sending large, uncompressed malicious external data.
You're affected if you use When using the ch-go. Specific version info not stated in the advisory. If you don't recognise this software, you're probably not affected.
Update to at least version 0.65.0:
* Go to the ClickHouse GitHub page and download the latest version.
* Run go get github.com/ClickHouse/ch-go@v0.65.0 in your terminal.
Immediate mitigations:
- Restrict network access to your ch-go instance (firewall it from the public internet)
- Audit query logs for suspicious patterns
- Monitor for unauthorized query execution