CVE-2022-39135: Apache Calcite XML External Entity (XEE) Flaw

Apache Calcite released the latest security bulletin on September 11, which contains an XML External Entity (XEE) vulnerability (CVE-2022-39135). The security researcher David Handermann has been credited with reporting this flaw.

The Apache Software Foundation, Apache License 2.0, via Wikimedia Commons

Apache Calcite is a dynamic data management framework. It contains many of the pieces that comprise a typical database management system but omits the storage primitives. It provides an industry-standard SQL parser and validator, a customisable optimizer with pluggable rules and cost functions, logical and physical algebraic operators, various transformation algorithms from SQL to algebra (and the opposite), and many adapters for executing SQL queries over Cassandra, Druid, Elasticsearch, MongoDB, Kafka, and others, with minimal configuration.

“In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External Entity references in their configuration, which makes them vulnerable to a potential XML External Entity (XXE) attack. Therefore any client exposing these operators, typically by using Oracle dialect (the first three) or MySQL dialect (the last one), is affected by this vulnerability (the extent of it will depend on the user under which the application is running),” read the security bulletin.

Apache Calcite 1.32.0 will disable Document Type Declarations and XML External Entity resolution. In this regard, we recommend that users upgrade Calcite in time to fix the CVE-2022-39135 bug.