Could we get more info on the impact of CVE-2022-42920 in OpenSearch with a Critical 9.8 score?

In the release notes for 2.4.1 and 1.3.7, there is reference to CVE-2022-42920 which has a CVE score of Critical 9.8 for bcel. This is very similar in score to the log4j fiasco last year.

What impact does this vulnerability have on OpenSearch? What is bcel being used for?

A bit more information than just casually dropped in the release notes for a 9.8 vulnerability would be appreciated.


Thank you for your message about the CVE reported in OpenSearch. After a thorough review we have determined this version is not impacted by CVE-2022-42920.


1 Like