Apache Calcite: potential XEE attacks
CVE-2022-39135

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Calcite
Vendor: CVE Published:; 11 September 2022

What is CVE-2022-39135?

Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Calcite 1.22.0 < 1.32.0

References

https://lists.apache.org/thread/ohdnhlgm6jvt3srw8l7spkm2d...

http://www.openwall.com/lists/oss-security/2022/11/21/3

mailing-list

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 11, 2022
Vulnerability Reserved
Sep 1, 2022

Credit

Apache Calcite would like to thank David Handermann for reporting this issue

JSON

Apache

What is CVE-2022-39135?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.