Bug 13692

Summary: [CVE 21] bookkeeper 4.3.2 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED DUPLICATE QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: e.kosachev, s.matveev, v.potapov, y.tumanov
Version: All   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2019-17571, CVE-2022-32531,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-10-18 19:59:42 MSK 
Please patch CVEs for package bookkeeper version 4.3.2
  
INFO (CVEs are): bookkeeper 4.3.2
 cves found
CVE-2019-17571
Desc: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
Severity: CRITICAL
CVE-2022-32531
Desc: The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-32531
Severity: MEDIUM
Comment 1 Vladimir Potapov 2023-10-20 11:38:52 MSK 

*** This bug has been marked as a duplicate of bug 13824 ***