(This issue was previously logged with the subject 'Improve XmlFunctions by using an XML DocumentBuilder'.)
CVE-2022-39135 is an XML External Entity (XEE) vulnerability that allows a SQL query to read the contents of files via the SQL functions EXISTS_NODE, EXTRACT_XML, XML_TRANSFORM or EXTRACT_VALUE.
Here is the initial report from exceptionfactory:
Based on an initial review, several XML functions appear to be vulnerable
to XML External Entity attacks. Most of the functions require the Oracle
dialect, except for extractValue, which requires the MySQL dialect.
Implementing secure processing requires a different approach based on the
particular JAXP component. In the case of Calcite XmlFunctions, it looks
like changes would be necessary for TransformerFactory, as well as StAX and
I would be glad to contribute a solution if this is deemed to be a
I have included a simple proof of concept which embeds an external entity
reference to the standard password file on Linux systems.
The fix is to improve class XmlFunctions by using a secure instance of XML DocumentBuilder.