[
https://issues.apache.org/jira/browse/HIVE-27410?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17731498#comment-17731498
]
Stamatis Zampetakis commented on HIVE-27410:
--------------------------------------------
[~yeachan153] There is work in progress in HIVE-27102. Calcite upgrades are
complicated so the latter may take a while till it gets resolved.
> Calcite upgrade to 1.32.0 to fix CVE-2022-39135
> -----------------------------------------------
>
> Key: HIVE-27410
> URL: https://issues.apache.org/jira/browse/HIVE-27410
> Project: Hive
> Issue Type: Task
> Reporter: Diksha
> Priority: Major
>
> In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NODE,
> EXTRACT_XML, XML_TRANSFORM and EXTRACT_VALUE do not restrict XML External
> Entity references in their configuration, which makes them vulnerable to a
> potential XML External Entity (XXE) attack. Therefore any client exposing
> these operators, typically by using Oracle dialect (the first three) or MySQL
> dialect (the last one), is affected by this vulnerability (the extent of it
> will depend on the user under which the application is running). From Apache
> Calcite 1.32.0 onwards, Document Type Declarations and XML External Entity
> resolution are disabled on the impacted operators.
>
> It is recommended to upgrade to version 1.32.0 to fix CVE-2022-39135.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
