CVE-2022-42889 by opensearch

Hi folks,

as I can see, the last versions of opensearch 1 and opensearch 2 contains org.apache.commons.commons-text Java library in version < 1.10.0 which is vulnerable agains NVD - CVE-2022-42889. Is theare any hotfix?

best regards

Hello @speechkey - welcome to the OpenSearch community. Good question - let me follow up with the engineering team and we’ll get a reply back out on this.

Hello @speechkey - I spoke with @davelago (SDM, OpenSeach) and he confirmed: Thank you for your message about the CVEs reported in OpenSearch versions 1 and 2. After a thorough review we have determined these versions are not impacted by CVE-2022-42889.

Hello @kris - I was wondering if your response indicates that none of version 1 or 2 of OpenSearch are vulnerable, or if you were just speaking about the latest version of the software.
Thank you!

Hi @kris, thank you for your feedback.

@Krystal welcome to the OpenSearch community! Correct, none of the versions are.

1 Like