[ https://issues.apache.org/jira/browse/CALCITE-4298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17210703#comment-17210703 ]
Stamatis Zampetakis commented on CALCITE-4298: ---------------------------------------------- [CVE-2020-13955] Apache Calcite Disabled HTTPS Hostname Verification Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Calcite 0.8 to 1.25 Description: HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. >From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore. Mitigation: Users should upgrade to 1.26 if: they are using Druid or Splunk adapters via HTTPS; they are using HttpUtils directly for HTTPS connections. Credit: This issue was discovered by Simon Gerst. > Avoid disabling hostname verification on HTTPS connections > ---------------------------------------------------------- > > Key: CALCITE-4298 > URL: https://issues.apache.org/jira/browse/CALCITE-4298 > Project: Calcite > Issue Type: Bug > Reporter: Julian Hyde > Assignee: Stamatis Zampetakis > Priority: Major > Fix For: 1.26.0 > > > Avoid disabling hostname verification on HTTPS connections. -- This message was sent by Atlassian Jira (v8.3.4#803005)