Apache Calcite: potential XEE attacks
CVE-2022-39135

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Calcite
Vendor: CVE Published:; 11 September 2022

Summary

Apache Calcite 1.22.0 introduced the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running). From Apache Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity resolution are disabled on the impacted operators.

Affected Version(s)

Apache Calcite 1.22.0 < 1.32.0

References

https://lists.apache.org/thread/ohdnhlgm6jvt3srw8l7spkm2d...

http://www.openwall.com/lists/oss-security/2022/11/21/3

mailing-list

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 11, 2022
Vulnerability Reserved
Sep 1, 2022

Credit

Apache Calcite would like to thank David Handermann for reporting this issue