Bug 13824

Summary: [CVE 21] bookkeeper 4.3.2 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED WONTFIX QA Contact: ROSA Linux Bugs <bugs>
Severity: blocker    
Priority: Highest CC: a.proklov, e.kosachev, s.matveev, v.potapov, y.tumanov
Version: AllFlags: y.tumanov: secteam_verified?
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2019-17571, CVE-2022-32531,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-10-18 20:24:24 MSK 
Please patch CVEs for package bookkeeper version 4.3.2
  
INFO (CVEs are): bookkeeper 4.3.2
 cves found
CVE-2019-17571
Desc: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
Severity: CRITICAL
CVE-2022-32531
Desc: The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-32531
Severity: MEDIUM
Comment 1 Vladimir Potapov 2023-10-20 11:38:52 MSK 
*** Bug 13692 has been marked as a duplicate of this bug. ***
Comment 2 Vladimir Potapov 2023-10-20 11:39:12 MSK 
*** Bug 13500 has been marked as a duplicate of this bug. ***
Comment 3 Aleksandr Proklov 2023-10-22 03:59:44 MSK 
CVE-2019-17571 закрыто использованием системной log4j-1.2.17

CVE-2022-32531 патча нету, рекомендуют обновляться 4.14.6 and 4.15.1
Comment 4 Svyatoslav Matveev 2023-12-12 01:21:27 MSK 
Входит в java-стек, который пока обновляться не будет