Do we know if there are any known vulnerabilities in opensearch version 2.8.0?

OpenSearch
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.8.0

Describe the issue:
Our internal tool is detecting below vulnerabilities in opensearch/modules/systemd/systemd-2.8.0.jar.
[CVE-2017-1000082]
[CVE-2020-13776]
[CVE-2017-18078]
[CVE-2023-26604]
The above CVE’s are suppose to be actual systemd module from OS.

What is the version of systemd which we use in opensearch 2.8.0?

If this is used just for an integration. can we consider these CVE’s are not applicable for opensearch systemd module?

Configuration:

Relevant Logs or Screenshots:

2

Hello @knagarajan - welcome to the community! Thanks for the question - @davelago @scrawfor @peternied could you look at this? Thank you

4

Hi @knagarajan we are not using any systemd in our docker image as it is tar based.

In other distribution like tar/zip they are not systemd based.

In deb/rpm it is relied on users own node’s systemd version.

Thanks.

1 Like
5

@knagarajan are you able to share more specifics about which scanner was used and any other details about what was flagged so we can look into it further?

1 Like