Addressing CVEs in OpenSearch Helm images?

Does OpenSearch have a defined policy for addressing security vulnerabilities within the container images it host?

We deploy OpenSearch and OpenSearch Dashboards via Helm charts using the images pulled from the OpenSearch repository (e.g. opensearchproject/opensearch). Earlier this week, a co-worker ran a scan that flagged a half-dozen security issues with the OpenSearch 1.3.2. It looks like all but one of them were known issues with the underlying Amazon Linux base image. That is, all had entries in the Amazon Linux Security Center (such as this one ALAS-2022-792).

The security bulletins identify some remediation steps (generally yum update the affected package). That would be helpful if we were building our own images but, again, we’re deploying the OpenSearch hosted images. So, I’m wondering if there is an official policy/approach the project takes with dealing with this sort of issue. Based on statements made during a recent Community Call I know that multiple updates to 1.3.x branch are expected over the next year. Is it correct to assume those will be the mechanism for delivering patches addressing these sorts of thing? I did see some specific CVEs mentioned in the changelog for some recent updates but there were very few.

Just to be clear, I’m not complaining about a particular vulnerability, just trying to understand how OpenSearch is handling this sort of thing. I’d like to be able to point management (or anyone else who asks) to something that reassures them that this is being handled. Ideally, it would include target timelines (e.g. “HIGH” severity issues will be remediated within 30/60/90/?? days). Can someone shed some light on this?


Hello @GSmith - thank you for bringing this to our attention. We’re discussing it and will get an answer back to the community as soon as possible.

@GSmith We scan and update all the underlying packages of Docker images including Base OS every time during a release (patch, min and major release) via yum update command. This is apart from the CVE fixes on the product itself. Having said that, the Base OS should have released the fix by our release date to pick up the fixes else it will be picked up in upcoming release. The latest version on OpenSearch 1.x series is 1.3.4.

We will update the last supported patch, minor and major version and don’t backport the fixes to previous version(s). You should be able to pull in updated Docker image of the latest patched version for a specific major version using docker pull opensearchproject/opensearch:1 qualifier when pulling the image from Docker.

Let us know if you have any further questions.

1 Like