This article is the second in the “Lessons Learned” series, which explores real-world vulnerabilities from an application security engineer’s perspective, focusing on root causes and preventive measures. The current story discusses CVE-2024–22412, a vulnerability affecting ClickHouse, a popular open-source column-oriented database used for online analytical processing (OLAP). This vulnerability could lead to authorization bypass and exposure of sensitive data.
ClickHouse introduced role-based access control, which initially worked well. However, a new "Query cache" feature, designed to enhance performance by caching query results, didn’t include user roles in its cache key. This oversight allowed different roles to access cached results meant for other roles, leading to unauthorized data access.
ClickHouse addressed the issue by patching the cache mechanism to incorporate current users and roles into the cache key. Similar business logic issues specific to applications often evade detection by conventional security tools. To mitigate such issues, the article advises:
- Threat Modeling: To anticipate and address potential issues during the design phase.
- Security Tests: To ensure features remain secure through unit and integration tests.
- Pentests and Bug Bounty Programs: To catch any overlooked vulnerabilities
The piece concludes by emphasizing the importance of considering security implications during feature design and maintaining security through continuous testing and proactive defenses.
Go here to read the Original Post