====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN565
_____________________________________________________________________

DATE                : 12/10/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Active Apache Calcite versions
                                       prior to 1.26 if.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202010.mbox/%3cCAFQnWdaiL2d+qRutgQ=vbskx5vCbpZ-Y7L3AmHEsiee5bwf8Xw@mail.gmail.com%3e
_____________________________________________________________________

Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Calcite 0.8 to 1.25

Description:
HttpUtils#getURLConnection method disables explicitly hostname
verification for HTTPS connections making clients vulnerable to
man-in-the-middle attacks.
Calcite uses internally this method to connect with Druid and Splunk so
information leakage may happen when using the respective Calcite
adapters.

The method itself is in a utility class so people may use it to create
vulnerable HTTPS connections for other applications.

>From Apache Calcite 1.26 onwards, the hostname verification will be
performed using the default JVM truststore.

Mitigation:
Users should upgrade to 1.26 if:
they are using Druid or Splunk adapters via HTTPS;
they are using HttpUtils directly for HTTPS connections.

Credit:
This issue was discovered by Simon Gerst.

References:
https://issues.apache.org/jira/browse/CALCITE-4298


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================