You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ignite.apache.org by "Sander (Jira)" <ji...@apache.org> on 2022/10/31 20:03:00 UTC

[jira] [Created] (IGNITE-18034) Address CVE-2022-39135 by upgrading calcite-core to 1.32.0

Sander created IGNITE-18034:
-------------------------------

             Summary: Address CVE-2022-39135 by upgrading calcite-core to 1.32.0
                 Key: IGNITE-18034
                 URL: https://issues.apache.org/jira/browse/IGNITE-18034
             Project: Ignite
          Issue Type: Bug
          Components: ignite-3
    Affects Versions: 2.14
            Reporter: Sander


Hello,

We have recently upgraded to ignite version 2.14.0 to take advantage of the new calcite SQL engine. However there is a critical vulnerability with the current version of calcite-core 1.30.0.

Calcite-core version 1.30.0 has a critical vulnerability
[https://nvd.nist.gov/vuln/detail/CVE-2022-39135]

This vulnerability is resolved in calcite-core version 1.32.0. However if we force this package in our build. There are issues running sql queries against ignite with the error:

```
java.lang.AbstractMethodError: org.apache.calcite.sql.parser.SqlAbstractParserImpl.setTimeUnitCodes(Ljava/util/Map;)V
    at org.apache.calcite.sql.parser.SqlParser.<init>(SqlParser.java:73) ~[calcite-core-1.32.0.jar:1.32.0]
    at org.apache.calcite.sql.parser.SqlParser.create(SqlParser.java:126) ~[calcite-core-1.32.0.jar:1.32.0]
    at org.apache.ignite.internal.processors.query.calcite.util.Commons.parse(Commons.java:220) ~[ignite-calcite-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.query.calcite.util.Commons.parse(Commons.java:204) ~[ignite-calcite-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.query.calcite.CalciteQueryProcessor.query(CalciteQueryProcessor.java:345) ~[ignite-calcite-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.query.GridQueryProcessor$2.applyx(GridQueryProcessor.java:3092) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.query.GridQueryProcessor$2.applyx(GridQueryProcessor.java:3074) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.util.lang.IgniteOutClosureX.apply(IgniteOutClosureX.java:36) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.query.GridQueryProcessor.executeQuery(GridQueryProcessor.java:3751) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.query.GridQueryProcessor.lambda$querySqlFields$3(GridQueryProcessor.java:3118) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.query.GridQueryProcessor.executeQuerySafe(GridQueryProcessor.java:3190) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.query.GridQueryProcessor.querySqlFields(GridQueryProcessor.java:3070) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.query.GridQueryProcessor.querySqlFields(GridQueryProcessor.java:3024) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.odbc.jdbc.JdbcRequestHandler.querySqlFields(JdbcRequestHandler.java:773) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.odbc.jdbc.JdbcRequestHandler.executeQuery(JdbcRequestHandler.java:641) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.odbc.jdbc.JdbcRequestHandler.doHandle(JdbcRequestHandler.java:311) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.odbc.jdbc.JdbcRequestHandler.handle(JdbcRequestHandler.java:251) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.odbc.ClientListenerNioListener.onMessage(ClientListenerNioListener.java:204) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.processors.odbc.ClientListenerNioListener.onMessage(ClientListenerNioListener.java:55) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.util.nio.GridNioFilterChain$TailFilter.onMessageReceived(GridNioFilterChain.java:279) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.util.nio.GridNioFilterAdapter.proceedMessageReceived(GridNioFilterAdapter.java:109) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.util.nio.GridNioAsyncNotifyFilter$3.body(GridNioAsyncNotifyFilter.java:97) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.util.worker.GridWorker.run(GridWorker.java:125) ~[ignite-core-2.14.0.jar:2.14.0]
    at org.apache.ignite.internal.util.worker.GridWorkerPool$1.run(GridWorkerPool.java:70) [ignite-core-2.14.0.jar:2.14.0]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [na:1.8.0_301]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [na:1.8.0_301]
    at java.lang.Thread.run(Unknown Source) [na:1.8.0_301]```



--
This message was sent by Atlassian Jira
(v8.20.10#820010)