Summary

The HttpUtils#getURLConnection function of apache/calcite disabled hostname verification and used an insecure TrustManager for HTTPS connections making clients vulnerable to a machine-in-the-middle attack (MiTM).

Product

apache/calcite

Tested Version

Commit ab19f981

Details

The HttpUtils#getURLConnection disables hostname verification by using a hostname verifier that accepts all hostnames by always returning true. The method also uses an insecure TrustManager that trusts all certificates even self-signed certificates.

Disabled hostname verification allows an attacker to use any valid certificate when intercepting a connection. Even when the hostname of the certificate does NOT match the hostname of the connection. An insecure TrustManager allows an attacker to create a self-signed certificate that matches the hostname of the intercepted connection.

Impact

Machine-in-the-middle attack.

CVE

CVE-2020-13955

Github Advisories

GHSA-hxp5-8pgq-mgv9

Coordinated Disclosure Timeline

2020-08-13: Sent a mail to security@apache.org.
2020-09-27: CVE id is shared with me.
2020-10-01: Issue is patched.
2020-10-09: Advisory is published.

Credit

This issue was discovered and reported by @intrigus-lgtm.

Contact

You can contact the ISL at isl@intrigus.org. Please include a reference to ISL-2020-005 in any communication regarding this issue.

ISL-2020-005: Missing Hostname Verification and Insecure TrustManager in apache/calcite