Summary
The HttpUtils#getURLConnection
function of apache/calcite disabled hostname verification and used an insecure TrustManager
for HTTPS connections making clients vulnerable to a machine-in-the-middle attack (MiTM).
Product
Tested Version
Commit ab19f981
Details
The HttpUtils#getURLConnection disables hostname verification by using a hostname verifier that accepts all hostnames by always returning true
. The method also uses an insecure TrustManager
that trusts all certificates even self-signed certificates.
Disabled hostname verification allows an attacker to use any valid certificate when intercepting a connection. Even when the hostname of the certificate does NOT match the hostname of the connection.
An insecure TrustManager
allows an attacker to create a self-signed certificate that matches the hostname of the intercepted connection.
Impact
Machine-in-the-middle attack.
CVE
Github Advisories
Coordinated Disclosure Timeline
- 2020-08-13: Sent a mail to security@apache.org.
- 2020-09-27: CVE id is shared with me.
- 2020-10-01: Issue is patched.
- 2020-10-09: Advisory is published.
Credit
This issue was discovered and reported by @intrigus-lgtm.
Contact
You can contact the ISL at isl@intrigus.org
. Please include a reference to ISL-2020-005
in any communication regarding this issue.