ISSUE-2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image

[sijie]

Original Issue: apache#2387

---

BUG REPORT
A security scanner has reported the following CVEs in the apache/bookkeeper:4.9.2 image.

Component	Current Version	CVE	Severity	Version to be upgraded to	References
Apache log4j	1.2.17	CVE-2017-5645	CRITICAL	2.8.2	https://nvd.nist.gov/vuln/detail/CVE-2017-5645
Apache log4j	1.2.17	CVE-2019-17571	CRITICAL	2.8.2	https://nvd.nist.gov/vuln/detail/CVE-2019-17571 https://logging.apache.org/log4j/1.2/index.html
Java Platform Standard Edition (JRE) (J2RE)	8u102	CVE-2016-5556	CRITICAL	8u241
Java Platform Standard Edition (JRE) (J2RE)	8u102	CVE-2016-5568	CRITICAL	8u241
Java Platform Standard Edition (JRE) (J2RE)	8u102	CVE-2016-5582	CRITICAL	8u241
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server	9.4.5.v20170502	CVE-2017-7657	CRITICAL	9.4.11	https://www.eclipse.org/jetty/security-reports.html
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server	9.4.5.v20170502	CVE-2017-7658	CRITICAL	9.4.11	https://www.eclipse.org/jetty/security-reports.html
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server	9.4.5.v20170502	CVE-2018-12538	CRITICAL	9.4.11	https://www.eclipse.org/jetty/security-reports.html
Netty Project	3.10.1.Final	CVE-2019-20444	CRITICAL	4.1.44.Final	netty/netty#9866 https://github.com/netty/netty/milestone/218?closed=1
Netty Project	3.10.1.Final	CVE-2019-20445	CRITICAL	4.1.44.Final	netty/netty#9861 https://github.com/netty/netty/milestone/218?closed=1
OpenLDAP	2.4.44	CVE-2019-13565	HIGH	2.4.48	https://access.redhat.com/security/cve/CVE-2019-13565 https://bugzilla.redhat.com/show_bug.cgi?id=1730477 https://www.openldap.org/lists/openldap-announce/201907/msg00001.html
Python programming language	2.7.5	CVE-2018-14647	HIGH	2.7.5-86.el7.x86_64	https://access.redhat.com/security/cve/CVE-2018-14647 https://access.redhat.com/errata/RHSA-2019:2030
Python programming language	2.7.5	CVE-2019-10160	CRITICAL	2.7.5-80.el7_6.x86_64	https://access.redhat.com/security/cve/CVE-2019-10160 https://access.redhat.com/errata/RHSA-2019:1587
Python programming language	2.7.5	CVE-2019-16056	HIGH	2.7.5-88.el7.x86_64	https://access.redhat.com/security/cve/CVE-2019-16056 https://access.redhat.com/errata/RHSA-2020:1131
Python programming language	2.7.5	CVE-2019-5010	HIGH	2.7.5-86.el7.x86_64	https://access.redhat.com/security/cve/CVE-2019-5010 https://access.redhat.com/errata/RHSA-2019:2030
Python programming language	2.7.5	CVE-2019-9948	CRITICAL	2.7.5-86.el7	https://access.redhat.com/security/cve/CVE-2019-9948 https://access.redhat.com/errata/RHSA-2019:2030
avahi	0.6.31	CVE-2017-6519	CRITICAL	0.6.31-20.el7.x86_64	https://access.redhat.com/security/cve/CVE-2017-6519 https://access.redhat.com/errata/RHSA-2020:1176
elfutils	0.176	CVE-2018-16402	CRITICAL	0.176-2.el7	https://access.redhat.com/security/cve/CVE-2018-16402 https://access.redhat.com/errata/RHSA-2019:2197
jackson-databind	2.9.7	CVE-2018-19360	CRITICAL	2.9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-19360 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
jackson-databind	2.9.7	CVE-2018-19361	CRITICAL	2.9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-19361 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
jackson-databind	2.9.7	CVE-2018-19362	CRITICAL	2.9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-19362 https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
jackson-databind	2.9.7	CVE-2019-14379	CRITICAL	2.9.10	https://nvd.nist.gov/vuln/detail/CVE-2019-14379 FasterXML/jackson-databind#2387
jackson-databind	2.9.7	CVE-2019-14540	CRITICAL	2.9.10	https://nvd.nist.gov/vuln/detail/CVE-2019-14540 FasterXML/jackson-databind#2410
jackson-databind	2.9.7	CVE-2019-14892	CRITICAL	2.9.10	https://nvd.nist.gov/vuln/detail/CVE-2019-14892 FasterXML/jackson-databind#2462
jackson-databind	2.9.7	CVE-2019-14893	CRITICAL	2.9.10	https://nvd.nist.gov/vuln/detail/CVE-2019-14893 FasterXML/jackson-databind#2469
jackson-databind	2.9.7	CVE-2019-16335	CRITICAL	2.9.10.1	https://nvd.nist.gov/vuln/detail/CVE-2019-16942 FasterXML/jackson-databind#2478
jackson-databind	2.9.7	CVE-2019-16942	CRITICAL	2.9.10.1	https://nvd.nist.gov/vuln/detail/CVE-2019-16942 FasterXML/jackson-databind#2478
jackson-databind	2.9.7	CVE-2019-16943	CRITICAL	2.9.10.1	https://nvd.nist.gov/vuln/detail/CVE-2019-16943 FasterXML/jackson-databind#2478
jackson-databind	2.9.7	CVE-2019-17267	CRITICAL	2.9.10	https://nvd.nist.gov/vuln/detail/CVE-2019-17267 FasterXML/jackson-databind#2460
jackson-databind	2.9.7	CVE-2019-17531	CRITICAL	2.9.10.1	https://nvd.nist.gov/vuln/detail/CVE-2019-17531 FasterXML/jackson-databind#2498
jackson-databind	2.9.7	CVE-2019-20330	CRITICAL	2.9.10.2	https://nvd.nist.gov/vuln/detail/CVE-2019-20330 FasterXML/jackson-databind#2526
jackson-databind	2.9.7	CVE-2020-8840	CRITICAL	2.9.10.3	https://nvd.nist.gov/vuln/detail/CVE-2020-8840 FasterXML/jackson-databind#2620
systemd	219	CVE-2018-15686	CRITICAL	219-67.el7_7.4	https://access.redhat.com/security/cve/CVE-2018-15686 https://access.redhat.com/errata/RHSA-2019:2091
systemd-libs	219	CVE-2018-15686	CRITICAL	219-67.el7_7.4	https://access.redhat.com/security/cve/CVE-2018-15686 https://access.redhat.com/errata/RHSA-2019:2091

Steps to reproduce the behavior:

1. Scan the apache/bookkeeper:4.9.2 with the help of a security scanner.

Expected behavior
The scanner should not report any vulnerabilities, that are already fixed.

Screenshots
NA

Additional context
NA