Apache BookKeeper is vulnerable to a man-in-the-middle attack, caused by not closing the connection to the bookkeeper server when TLS hostname verification fails. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
Apache BookKeeper 4.14.5
Apache BookKeeper 4.15.0
Upgrade to the latest version of Apache BookKeeper, available from the Apache Website.