Hi,
Are there any updates or mitigations available for https://nvd.nist.gov/vuln/detail/CVE-2025-24970
This is a recent high severity vulnerability in Apache Netty versions 4.1.91.Final through to 4.1.117.Final. If successfully exploited this could lead to Denial of Service (DoS). I understand 4.1.118.Final is available which addresses the issue.
Looking at current opensearch release 2.19.0 ( in unpacked tarball) can see affected libs in several places (here searching for just the handler):
[root@test opensearch-2.19.0]# find . -name netty-handler*
Thank you.
1 Like
Eugene7
February 26, 2025, 2:49pm
2
Hi @NeilBillett ,
Please create the issues in the GitHub. I would make an issue for each plugin in the OpenSearch GitHub. I have added the list of plugin projects below:
ml-commons provides a set of common machine learning algorithms, e.g. k-means, or linear regression, to help developers build ML related features within OpenSearch. - opensearch-project/ml-commons
🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields - opensearch-project/security
1 Like
Done:
(sorry forum won’t let me post more than 2 links)
Thank you.
3 Likes
Thanks for keeping your eyes open for us, @NeilBillett !
No problem - thank you.
For anyone following this thread I’m being told that the imminent release of Opensearch 2.19.1 addresses this issue by upgrade to Netty 4.1.118.Final.
1 Like
…and can subsequently confirm that 2.19.1 is out and does does the trick:
[root@test tmp]# wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.19.1/opensearch-2.19.1-linux-x64.tar.gz
Thanks for the very quick turnaround!
2 Likes
kris
February 28, 2025, 4:55pm
7
thank you for confirming @NeilBillett !