Skip to content

fix CVE-2025-55163, CVE-2025-48924 #4298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: create-pull-request/2.19.4-SNAPSHOT
Choose a base branch
from
Open

fix CVE-2025-55163, CVE-2025-48924 #4298

wants to merge 2 commits into from

Conversation

brianf-aws
Copy link
Contributor

@brianf-aws brianf-aws commented Oct 10, 2025
edited
Loading

Description

Fix CVEs CVE-2025-55163, CVE-2025-48924

Addresses #4143

./gradlew test 

BUILD SUCCESSFUL in 2m 51s
47 actionable tasks: 47 executed

 find plugin/build/distributions/opensearch-ml-2.19.4.0-SNAPSHOT -name "*netty-codec-http*" -type f 


plugin/build/distributions/opensearch-ml-2.19.4.0-SNAPSHOT/netty-codec-http2-4.2.4.Final.jar
plugin/build/distributions/opensearch-ml-2.19.4.0-SNAPSHOT/netty-codec-http-4.2.4.Final.jar

 find plugin/build/distributions/opensearch-ml-2.19.4.0-SNAPSHOT -name "*commons-lang3*" -type f

plugin/build/distributions/opensearch-ml-2.19.4.0-SNAPSHOT/commons-lang3-3.18.0.jar

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@brianf-aws
fix CVE-2025-55163, CVE-2025-48924
5733418 
Signed-off-by: Brian Flores <[email protected]>
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:00 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:00 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:00 — with GitHub Actions Failure
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:00 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:00 — with GitHub Actions Failure
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:00 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:16 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:16 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:16 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:16 — with GitHub Actions Failure
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:16 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:16 — with GitHub Actions Failure
@dbwiddis
Copy link
Member

These shouldn't be necessary if you use the version catalog.

I just went through and updated all the OpenSearch CVE versions, between opensearch-project/OpenSearch#19155 and https://github.com/opensearch-project/OpenSearch/pulls?q=is%3Aopen+is%3Apr+author%3Adbwiddis+label%3ACVE most should be handled.

dbwiddis
dbwiddis reviewed Oct 12, 2025
View reviewed changes
search-processors/build.gradle
check.dependsOn jacocoTestCoverageVerification

configurations.all {
resolutionStrategy.force 'org.apache.commons:commons-lang3:3.18.0'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was udpated in core/version catalog in opensearch-project/OpenSearch#19155

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see a version catalog in the PR you mentioned

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah. I see. But it is in the version catalog.

https://github.com/opensearch-project/OpenSearch/blob/d9d178d0e2f8391a037ac183a9f804e185af3c09/gradle/libs.versions.toml#L50

ml-algorithms/build.gradle
Comment on lines +94 to +102
implementation 'io.netty:netty-codec-http2:4.2.5.Final'
implementation 'io.netty:netty-codec-http:4.2.5.Final'
implementation 'io.netty:netty-common:4.2.5.Final'
implementation 'io.netty:netty-buffer:4.2.5.Final'
implementation 'io.netty:netty-transport:4.2.5.Final'
implementation 'io.netty:netty-handler:4.2.5.Final'
implementation 'io.netty:netty-resolver:4.2.5.Final'
implementation 'io.netty:netty-codec:4.2.5.Final'
implementation 'io.netty:netty-transport-classes-epoll:4.2.5.Final'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These will be fixed in core in opensearch-project/OpenSearch#19603

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay I think I Understand for opensearch-project/OpenSearch#19603 I can use the version catalog

reactor_netty     = "1.2.9"
reactor           = "3.7.5"

Subscribed to the PR to get notified when I can change this on my end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@b4sjoo b4sjoo Awaiting requested review from b4sjoo b4sjoo is a code owner

@dhrubo-os dhrubo-os Awaiting requested review from dhrubo-os dhrubo-os is a code owner

@mingshl mingshl Awaiting requested review from mingshl mingshl is a code owner

@jngz-es jngz-es Awaiting requested review from jngz-es jngz-es is a code owner

@model-collapse model-collapse Awaiting requested review from model-collapse model-collapse is a code owner

@rbhavna rbhavna Awaiting requested review from rbhavna rbhavna is a code owner

@ylwu-amzn ylwu-amzn Awaiting requested review from ylwu-amzn ylwu-amzn is a code owner

@zane-neo zane-neo Awaiting requested review from zane-neo zane-neo is a code owner

@Zhangxunmt Zhangxunmt Awaiting requested review from Zhangxunmt Zhangxunmt is a code owner

@austintlee austintlee Awaiting requested review from austintlee austintlee is a code owner

@HenryL27 HenryL27 Awaiting requested review from HenryL27 HenryL27 is a code owner

@xinyual xinyual Awaiting requested review from xinyual xinyual is a code owner

1 more reviewer

@dbwiddis dbwiddis dbwiddis left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brianf-aws @dbwiddis