CVE-2022-39135 Overview
Apache Calcite versions 1.22.0 through 1.31.0 contain an XML External Entity (XXE) vulnerability affecting SQL operators EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM, and EXTRACT_VALUE. These operators do not properly restrict XML External Entity references in their configuration, enabling attackers to exploit XXE attack vectors. Applications using Oracle dialect (for the first three operators) or MySQL dialect (for EXTRACT_VALUE) are susceptible to this vulnerability.
Critical Impact
This XXE vulnerability can enable attackers to read sensitive files from the server, perform server-side request forgery (SSRF), and potentially achieve remote code execution depending on the application context and user privileges.
Affected Products
- Apache Calcite versions 1.22.0 through 1.31.x
- Applications using Oracle SQL dialect with EXISTS_NODE, EXTRACT_XML, or XML_TRANSFORM operators
- Applications using MySQL SQL dialect with EXTRACT_VALUE operator
Discovery Timeline
- 2022-09-11 - CVE-2022-39135 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-39135
Vulnerability Analysis
This vulnerability stems from improper XML parsing configuration within Apache Calcite's SQL operators. The affected operators (EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM, and EXTRACT_VALUE) process XML data without disabling Document Type Declaration (DTD) processing and external entity resolution. This oversight allows malicious XML payloads containing external entity references to be processed by the application, leading to XXE exploitation.
The impact of this vulnerability depends significantly on the privileges of the user account under which the application runs. An attacker who can supply crafted XML input to these operators can potentially access local files, probe internal network services, or cause denial of service through entity expansion attacks.
Root Cause
The root cause is the failure to disable Document Type Declarations (DTD) and XML External Entity resolution when configuring the XML parser used by the affected SQL operators. The XML processing components in Apache Calcite did not implement secure-by-default configurations, allowing external entity references to be resolved during XML parsing operations.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by submitting specially crafted SQL queries containing malicious XML payloads to applications that expose the vulnerable operators. When the application processes these queries using Oracle or MySQL dialect, the XML parser resolves external entity references, allowing the attacker to:
- Read arbitrary files from the server's filesystem
- Perform SSRF attacks to probe internal network infrastructure
- Cause denial of service through recursive entity expansion (billion laughs attack)
- Potentially exfiltrate sensitive configuration data or credentials
The vulnerability manifests when malicious XML containing external entity declarations is passed to the affected SQL operators. The XML parser processes the DTD declarations and resolves external references, enabling data exfiltration or SSRF. See the Apache Mailing List Thread for additional technical details.
Detection Methods for CVE-2022-39135
Indicators of Compromise
- SQL queries containing EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM, or EXTRACT_VALUE operators with suspicious XML payloads
- Log entries showing attempts to access local files like /etc/passwd or Windows system files
- Outbound network connections from the application server to unexpected external hosts
- XML payloads containing <!DOCTYPE> declarations or <!ENTITY> definitions in application inputs
Detection Strategies
- Monitor application logs for SQL queries using the affected XML operators with DTD declarations
- Implement Web Application Firewall (WAF) rules to detect and block XXE attack patterns in incoming requests
- Deploy network monitoring to detect unusual outbound connections from application servers
- Use static code analysis tools to identify usage of vulnerable Apache Calcite versions
Monitoring Recommendations
- Enable detailed logging for SQL query processing, particularly for XML-related operators
- Configure alerting for file access attempts outside expected application directories
- Monitor for SSRF indicators such as connections to internal IP ranges or metadata services
- Track Apache Calcite version deployments across the environment for rapid vulnerability identification
How to Mitigate CVE-2022-39135
Immediate Actions Required
- Upgrade Apache Calcite to version 1.32.0 or later, which disables DTD and XXE resolution by default
- Audit all applications using Apache Calcite to identify usage of Oracle or MySQL dialects with affected operators
- Implement input validation to reject XML payloads containing DTD declarations
- Apply network segmentation to limit the impact of potential SSRF attacks
Patch Information
Apache Calcite version 1.32.0 and later includes security fixes that disable Document Type Declarations and XML External Entity resolution on the impacted operators by default. Organizations should upgrade to version 1.32.0 or later to remediate this vulnerability. Refer to the Openwall OSS Security Discussion and Apache Mailing List Thread for official guidance.
Workarounds
- If immediate upgrade is not possible, disable or restrict access to the affected SQL operators (EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM, EXTRACT_VALUE)
- Implement application-level input validation to sanitize XML content before processing
- Configure the XML parser at the application level to disable DTD processing and external entity resolution
- Deploy WAF rules to block requests containing XXE attack patterns
# Example: Restricting access to vulnerable operators via application configuration
# Consult Apache Calcite documentation for dialect-specific restrictions
# Upgrade to version 1.32.0+ for comprehensive mitigation
mvn dependency:tree | grep calcite
# Update pom.xml to use calcite version 1.32.0 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
