Severity: Moderate Vendor: The Apache Software Foundation
Versions Affected: Apache Calcite 0.8 to 1.25 Description: HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. >From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore. Mitigation: Users should upgrade to 1.26 if: they are using Druid or Splunk adapters via HTTPS; they are using HttpUtils directly for HTTPS connections. Credit: This issue was discovered by Simon Gerst. References: https://issues.apache.org/jira/browse/CALCITE-4298
