Does OpenSearch have a defined policy for addressing security vulnerabilities within the container images it host?
We deploy OpenSearch and OpenSearch Dashboards via Helm charts using the images pulled from the OpenSearch repository (e.g. opensearchproject/opensearch). Earlier this week, a co-worker ran a scan that flagged a half-dozen security issues with the OpenSearch 1.3.2. It looks like all but one of them were known issues with the underlying Amazon Linux base image. That is, all had entries in the Amazon Linux Security Center (such as this one ALAS-2022-792).
The security bulletins identify some remediation steps (generally yum update the affected package). That would be helpful if we were building our own images but, again, we’re deploying the OpenSearch hosted images. So, I’m wondering if there is an official policy/approach the project takes with dealing with this sort of issue. Based on statements made during a recent Community Call I know that multiple updates to 1.3.x branch are expected over the next year. Is it correct to assume those will be the mechanism for delivering patches addressing these sorts of thing? I did see some specific CVEs mentioned in the changelog for some recent updates but there were very few.
Just to be clear, I’m not complaining about a particular vulnerability, just trying to understand how OpenSearch is handling this sort of thing. I’d like to be able to point management (or anyone else who asks) to something that reassures them that this is being handled. Ideally, it would include target timelines (e.g. “HIGH” severity issues will be remediated within 30/60/90/?? days). Can someone shed some light on this?
Thanks!