CVE-2022-32531 — Apache Bookkeeper vulnerable to Improper Certificate Validation

描述

The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves the bookkeeper client vulnerable to a man in the middle attack. The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.

如何修補 CVE-2022-32531

要修補 CVE-2022-32531,請將受影響套件升級到下列已修補版本。

—升級至 4.14.6 或更新版本
—升級至 4.14.6 或更新版本

CVE-2022-32531 正在被利用嗎?

低 — EPSS 為 0.8%,目前沒有觀察到大規模利用活動。

受影響套件(2)

from 0, < 4.14.6
from 0, < 4.14.6

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

參考連結(4)

ADVISORYlists.apache.org/thread/xyk2lfc7lzof8mksmwyympbqxts1b5s9
ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-32531
PATCHgithub.com/apache/bookkeeper
WEBgithub.com/pypa/advisory-database/tree/main/vulns/apache-bookkeeper-client/PYSEC-2022-43060.yaml