Description

HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore.

Remediation

References

https://lists.apache.org/thread.html/r0b0fbe2038388175951ce1028182d980f9e9a7328be13d52dab70bb3%40%3Cdev.calcite.apache.org%3E

Related Vulnerabilities

CVE-2019-1003010 Vulnerability in maven package org.jenkins-ci.plugins:git

CVE-2018-9159 Vulnerability in maven package com.sparkjava:spark-core

CVE-2017-7663 Vulnerability in maven package org.apache.openmeetings:openmeetings-core

CVE-2019-1003087 Vulnerability in maven package org.jenkins-ci.plugins:sinatra-chef-builder

CVE-2016-4055 Vulnerability in maven package org.fujion.webjars:moment

Severity

Medium

Classification

CWE-295 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory