Vulnerability Description
Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via `httpclient_impl` connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution loaded via arbitrary classes and in rare cases remote code execution. To exploit the vulnerability: 1) the attacker needs to have privileges to control JDBC connection parameters; 2) and there should be a vulnerable class (constructor with URL parameter and ability to execute code) in the classpath. From Apache Calcite Avatica 1.22.0 onwards, it will be verified that the class implements the expected interface before invoking its constructor.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Apache Calcite Avatica | < 1.22.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2022/07/28/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread/5csdj8bv4h3hfgw27okm84jh1j2fyw0cMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2022/07/28/1Mailing ListThird Party Advisory
- https://lists.apache.org/thread/5csdj8bv4h3hfgw27okm84jh1j2fyw0cMailing ListVendor Advisory
FAQ
What is CVE-2022-36364?
CVE-2022-36364 is a vulnerability with a CVSS score of 8.8 (HIGH). Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via `httpclient_impl` connection property; however, the driver does not verify if the class implements th...
How severe is CVE-2022-36364?
CVE-2022-36364 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-36364?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Apache Calcite Avatica.