CVE-2020-13955

Name of the Vulnerable Software and Affected Versions: Apache Calcite versions prior to 1.26

Description: The issue is related to the HttpUtils#getURLConnection method, which disables hostname verification for HTTPS connections, making clients vulnerable to man-in-the-middle attacks. This method is used internally by Apache Calcite to connect with Druid and Splunk, potentially leading to information leakage when using the respective Calcite adapters. The method's location in a utility class means it can be used to create vulnerable HTTPS connections for other applications.

Recommendations: For Apache Calcite versions prior to 1.26, update to version 1.26 or later, where hostname verification will be performed using the default JVM truststore. As a temporary workaround, consider disabling the use of the HttpUtils#getURLConnection method until a patch is available. Restrict access to the vulnerable Calcite adapters for Druid and Splunk to minimize the risk of exploitation. Avoid using the vulnerable method to create HTTPS connections for other applications until the issue is resolved.