Please patch CVEs for package bookkeeper version 4.3.2 INFO (CVEs are): bookkeeper 4.3.2 cves found CVE-2019-17571 Desc: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. Link: https://nvd.nist.gov/vuln/detail/CVE-2019-17571 Severity: CRITICAL CVE-2022-32531 Desc: The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1. Link: https://nvd.nist.gov/vuln/detail/CVE-2022-32531 Severity: MEDIUM
*** Bug 13692 has been marked as a duplicate of this bug. ***
*** Bug 13500 has been marked as a duplicate of this bug. ***
CVE-2019-17571 закрыто использованием системной log4j-1.2.17 CVE-2022-32531 патча нету, рекомендуют обновляться 4.14.6 and 4.15.1
Входит в java-стек, который пока обновляться не будет