Hi,
Are there any updates or mitigations available for https://nvd.nist.gov/vuln/detail/CVE-2025-24970
This is a recent high severity vulnerability in Apache Netty versions 4.1.91.Final through to 4.1.117.Final. If successfully exploited this could lead to Denial of Service (DoS). I understand 4.1.118.Final is available which addresses the issue.
Looking at current opensearch release 2.19.0 ( in unpacked tarball) can see affected libs in several places (here searching for just the handler):
[root@test opensearch-2.19.0]# find . -name netty-handler*
./modules/transport-netty4/netty-handler-4.1.117.Final.jar
./performance-analyzer-rca/lib/netty-handler-4.1.117.Final.jar
./performance-analyzer-rca/lib/netty-handler-proxy-4.1.117.Final.jar
./plugins/opensearch-ml/netty-handler-4.1.115.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-4.1.117.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-proxy-4.1.117.Final.jar
./plugins/opensearch-security/netty-handler-4.1.117.Final.jar
Thank you.
Eugene7
February 26, 2025, 2:49pm
2
Hi @NeilBillett ,
Please create the issues in the GitHub. I would make an issue for each plugin in the OpenSearch GitHub. I have added the list of plugin projects below:
ml-commons provides a set of common machine learning algorithms, e.g. k-means, or linear regression, to help developers build ML related features within OpenSearch. - opensearch-project/ml-commons
🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields - opensearch-project/security
1 Like
Done:
(sorry forum won’t let me post more than 2 links)
Thank you.
2 Likes
Thanks for keeping your eyes open for us, @NeilBillett !
No problem - thank you.
For anyone following this thread I’m being told that the imminent release of Opensearch 2.19.1 addresses this issue by upgrade to Netty 4.1.118.Final.
…and can subsequently confirm that 2.19.1 is out and does does the trick:
[root@test tmp]# wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.19.1/opensearch-2.19.1-linux-x64.tar.gz
…blah…
[root@test tmp]# tar -xvzf opensearch-2.19.1-linux-x64.tar.gz
…blah…
[root@test tmp]# cd opensearch-2.19.1
[root@test opensearch-2.19.1]# find . -name netty-handler*
./modules/transport-netty4/netty-handler-4.1.118.Final.jar
./performance-analyzer-rca/lib/netty-handler-4.1.118.Final.jar
./performance-analyzer-rca/lib/netty-handler-proxy-4.1.118.Final.jar
./plugins/opensearch-ml/netty-handler-4.1.118.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-4.1.118.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-proxy-4.1.118.Final.jar
./plugins/opensearch-security/netty-handler-4.1.118.Final.jar
Thanks for the very quick turnaround!
1 Like
kris
February 28, 2025, 4:55pm
7
thank you for confirming @NeilBillett !