CVE-2022-39135

Name of the Vulnerable Software and Affected Versions Apache Calcite versions prior to 1.32.0

Description The issue is related to the SQL operators EXISTS NODE, EXTRACT XML, XML TRANSFORM, and EXTRACT VALUE not restricting XML External Entity references in their configuration, making them vulnerable to a potential XML External Entity (XXE) attack. Any client exposing these operators, typically by using Oracle dialect or MySQL dialect, is affected by this issue. The extent of the vulnerability depends on the user under which the application is running.

Recommendations For Apache Calcite versions prior to 1.32.0, consider upgrading to version 1.32.0 or later, where Document Type Declarations and XML External Entity resolution are disabled on the impacted operators. As a temporary workaround, consider restricting the use of the SQL operators EXISTS NODE, EXTRACT XML, XML TRANSFORM, and EXTRACT VALUE to minimize the risk of exploitation. Additionally, restrict access to the Oracle and MySQL dialects to reduce the attack surface.