[
https://issues.apache.org/jira/browse/CALCITE-4298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17210703#comment-17210703
]
Stamatis Zampetakis commented on CALCITE-4298:
----------------------------------------------
[CVE-2020-13955] Apache Calcite Disabled HTTPS Hostname Verification
Severity: Moderate
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Calcite 0.8 to 1.25
Description:
HttpUtils#getURLConnection method disables explicitly hostname verification
for HTTPS connections making clients vulnerable to man-in-the-middle
attacks.
Calcite uses internally this method to connect with Druid and Splunk so
information leakage may happen when using the respective Calcite adapters.
The method itself is in a utility class so people may use it to create
vulnerable
HTTPS connections for other applications.
>From Apache Calcite 1.26 onwards, the hostname verification will be
performed using the default JVM truststore.
Mitigation:
Users should upgrade to 1.26 if:
they are using Druid or Splunk adapters via HTTPS;
they are using HttpUtils directly for HTTPS connections.
Credit:
This issue was discovered by Simon Gerst.
> Avoid disabling hostname verification on HTTPS connections
> ----------------------------------------------------------
>
> Key: CALCITE-4298
> URL: https://issues.apache.org/jira/browse/CALCITE-4298
> Project: Calcite
> Issue Type: Bug
> Reporter: Julian Hyde
> Assignee: Stamatis Zampetakis
> Priority: Major
> Fix For: 1.26.0
>
>
> Avoid disabling hostname verification on HTTPS connections.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
