We use cookies to improve your experience on our site.
AVID-2026-R1117
Description
Apache Calcite Avatica JDBC driver httpclient_impl connection property can be used as an RCE vector (CVE-2022-36364)
Details
Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via httpclient_impl connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution loaded via arbitrary classes and in rare cases remote code execution. To exploit the vulnerability: 1) the attacker needs to have privileges to control JDBC connection parameters; 2) and there should be a vulnerable class (constructor with URL parameter and ability to execute code) in the classpath. From Apache Calcite Avatica 1.22.0 onwards, it will be verified that the class implements the expected interface before invoking its constructor.
Reason for inclusion in AVID: CVE-2022-36364 describes a remote code execution vulnerability in the Apache Calcite Avatica JDBC driver via the httpclient_impl property. This is a software vulnerability in a dependency that can be present in AI data pipelines and general-purpose AI system stacks (e.g., data ingestion/connection layers). Therefore it qualifies as a software supply chain risk for general-purpose AI systems, provided through widely-used runtime/dependency components. The report provides clear vulnerability behavior and how exploitation can occur, satisfying sufficient_evidence. It is AI-related insofar as it can impact AI pipelines that rely on this driver, and it is a supply-chain issue since it concerns a component that may be used to build/run AI systems. It is a security vulnerability (RCE).
References
- NVD entry
- https://lists.apache.org/thread/5csdj8bv4h3hfgw27okm84jh1j2fyw0c
- http://www.openwall.com/lists/oss-security/2022/07/28/1
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Calcite Avatica |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-665 | CWE-665 Improper Initialization |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2022-07-28
- Version: 0.3.3
- AVID Entry