Security Bulletin: IBM OpenPages for Cloud Pak for Data is Vulnerable to Improper Restriction of XML External Entity Reference (CVE-2022-39135)

Summary IBM OpenPages for Cloud Pak for Data is Vulnerable to Apache Calcite Core 1.37.0 introduced the SQL operators vulnerable to a potential XML External Entity XXE attack. . These vulnerabilities were remediated. Vulnerability Details CVEID:CVE-2022-39135 DESCRIPTION: Apache Calcite 1.22.0...

XML External Entity (XXE)

Calcite Core is vulnerable to XML external entity attacks. A remote attacker is able to read the contents of confidential files through the use of SQL functions such as EXISTSNODE, EXTRACTXML, XMLTRANSFORM or EXTRACTVALUE due to insecure business logic in XmlFunctions.java...

ai.chronon:online_2.11 (>=0.0.25 <=revert-391-thread-0.0.24), ai.chronon:service_2.11 (>=0.0.86 <=def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91) +975 more potentially affected by CVE-2022-39135 via org.apache.calcite:calcite-core (>=1.0.0-incubating <=1.31.0)

org.apache.calcite:calcite-core MAVEN version =1.0.0-incubating, =0.0.25, =0.0.86, =local, =local, =0.2.7, =1.0.1, =1.1.0, =1.7.0, =1.7.0, =1.0.0, =0.0.12, =1.0.0, =1.0.0, =1.0.0, =1.13.3, =2.14.0 and more Source cves: CVE-2022-39135 Source advisory: OSV:GHSA-FJ2M-W3WV-X9PR...

cn.eppdev.mlib:eppdev-mlib-sdk-hive-udf31 (=1.0.0), com.alibaba.blink:flink-sql-parser (=blink-3.6.8) +310 more potentially affected by CVE-2020-13955 via org.apache.calcite:calcite-core (>=1.0.0-incubating <=1.25.0)

org.apache.calcite:calcite-core MAVEN version =1.0.0-incubating, =1.0.0, =1.1.10, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =5.0.0, =1.3.2, =0.8.0, =7.2.1, =7.2.1, =8.1.15 and more Source cves: CVE-2020-13955 Source advisory: OSV:GHSA-HXP5-8PGQ-MGV9...

Man-in-the-Middle (MitM)

calcite-core is vulnerable to man-in-the-middle MitM attacks. The vulnerability exists as the getURLConnection method does not explicitly verify the hostname when making HTTPS connections...