oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2022-32531: Apache BookKeeper: Java Client Uses Connection to Host that Failed Hostname Verification

From: Enrico Olivelli <eolivelli () apache org>
Date: Thu, 15 Dec 2022 10:14:15 +0100
Severity: Moderate

Description:

The Apache Bookkeeper Java Client (up to 4.14.5 and also 4.15.0) does
not close the connection to the
bookkeeper server when TLS hostname verification fails. This leaves
the bookkeeper client vulnerable to a man in the middle attack.

The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

Solution:

Upgrade to 4.14.6 or to 4.15.1

References:

https://bookkeeper.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-32531
Previous By Date Next
Previous By Thread Next

Current thread: