First published: Thu Jul 28 2022(Updated: )
Apache Calcite Avatica could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the JDBC driver. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Apache Calcite Avatica | <1.22.0 | |
IBM IBM® Db2® on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data | <=v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh 6v4.7 through refresh 4v4.8 through refresh 4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-36364 is a vulnerability in Apache Calcite Avatica that could allow a remote attacker to execute arbitrary code on the system.
CVE-2022-36364 occurs because the Apache Calcite Avatica JDBC driver does not verify if a class implements the expected interface before instantiating it, which can lead to code execution.
Apache Calcite Avatica version up to 1.22.0, IBM Cognos Analytics 11.2.x, and IBM Cognos Analytics 11.1.x are affected by CVE-2022-36364.
CVE-2022-36364 has a severity rating of critical with a score of 9.8.
To fix CVE-2022-36364, apply the patches provided by Apache for Calcite Avatica and IBM for Cognos Analytics.