CVE-2022-36364 – This vulnerability in Apache Calcite Avatica JD... (How to Fix)

Q: What is the severity of CVE-2022-36364?

CVE-2022-36364 has a CVSS score of 8.8 (HIGH). This vulnerability in Apache Calcite Avatica JDBC driver allows attackers with JDBC connection parameter privileges to execute arbitrary code by loading malicious classes via the 'httpclient_impl' property. It affects systems using vulnerable versions of the driver where attackers can control connection parameters. The risk is highest when untrusted users can configure JDBC connections or when vulnerable classes exist in the classpath.

📋 TL;DR

This vulnerability in Apache Calcite Avatica JDBC driver allows attackers with JDBC connection parameter privileges to execute arbitrary code by loading malicious classes via the 'httpclient_impl' property. It affects systems using vulnerable versions of the driver where attackers can control connection parameters. The risk is highest when untrusted users can configure JDBC connections or when vulnerable classes exist in the classpath.

💻 Affected Systems

Products:

Apache Calcite Avatica JDBC Driver

Versions: All versions before 1.22.0

Operating Systems: All operating systems running Java

Default Config Vulnerable: ✅ No

Notes: Requires attacker control over 'httpclient_impl' connection property and presence of vulnerable classes in classpath.

📦 What is this software?

Apache Calcite Avatica by Apache

View all CVEs affecting Apache Calcite Avatica →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Privileged users with JDBC configuration access could execute arbitrary code within the application context.

🟢

If Mitigated

Limited to authenticated users with specific JDBC configuration privileges, reducing attack surface.

🌐 Internet-Facing: MEDIUM - Requires JDBC connection parameter control, which is less common in internet-facing applications.

🏢 Internal Only: HIGH - Internal applications often grant JDBC configuration access to multiple users, increasing exploitation potential.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires: 1) JDBC connection parameter privileges, 2) Vulnerable class in classpath, 3) Knowledge of exploitable class names.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Calcite Avatica 1.22.0 and later

Vendor Advisory: https://lists.apache.org/thread/5csdj8bv4h3hfgw27okm84jh1j2fyw0c

Restart Required: Yes

Instructions:

1. Identify all applications using Apache Calcite Avatica JDBC driver. 2. Update to version 1.22.0 or later. 3. Replace the avatica-core.jar file. 4. Restart all affected applications. 5. Verify the update by checking the driver version.

🔧 Temporary Workarounds

Restrict JDBC Connection Parameters

all

Limit who can configure JDBC connection properties, especially 'httpclient_impl'.

Classpath Sanitization

all

Remove or restrict potentially dangerous classes from the application classpath.

🧯 If You Can't Patch

Implement strict access controls on JDBC connection configuration
Use application firewalls to monitor and block suspicious JDBC connection attempts

🔍 How to Verify

Check if Vulnerable:

Check if using Apache Calcite Avatica JDBC driver version < 1.22.0 and if 'httpclient_impl' property is configurable.

Check Version:

Check the avatica-core.jar manifest or use: java -cp avatica-core.jar org.apache.calcite.avatica.Main --version

Verify Fix Applied:

Verify the driver version is 1.22.0 or later and test that arbitrary classes cannot be loaded via 'httpclient_impl'.

📡 Detection & Monitoring

Log Indicators:

Unusual class loading errors
JDBC connection attempts with custom 'httpclient_impl' values
Security manager violations

Network Indicators:

Unexpected outbound connections from JDBC driver
HTTP requests to unusual endpoints

SIEM Query:

Search for: 'httpclient_impl' in application logs OR 'ClassNotFoundException' for suspicious class names

📊 Metadata

CVE ID: CVE-2022-36364

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-665

Published: July 28, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/07/28/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread/5csdj8bv4h3hfgw27okm84jh1j2fyw0c Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/07/28/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread/5csdj8bv4h3hfgw27okm84jh1j2fyw0c Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-36364, you might also want to check these: