=====================================================================

                              CERT-Renater

                   Note d'Information No. 2022/VULN323

_____________________________________________________________________

DATE                : 12/09/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Calcite versions prior to
                                           1.32.0.

=====================================================================
https://lists.apache.org/thread/ohdnhlgm6jvt3srw8l7spkm2d5vwm082
_____________________________________________________________________

CVE-2022-39135: Apache Calcite: potential XEE attacks


Description:

In Apache Calcite prior to version 1.32.0 the SQL operators
EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not 
restrict XML External Entity references in their configuration,
which makes them vulnerable to a potential XML External Entity
(XXE) attack. Therefore any client exposing these operators,
typically by using Oracle dialect (the first three) or
MySQL dialect (the last one), is affected by this vulnerability
(the extent of it will depend on the user under which the
application is running).

 From Apache Calcite 1.32.0 onwards, Document Type Declarations
and XML External Entity resolution are disabled on the impacted
operators.


Credit:

Apache Calcite would like to thank David Handermann for reporting
this issue


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================