Handling CVEs of libraries used in OpenSearch and plugins

Hi,

our NeuVector solution found 62 High and 11 Medium CVEs in the OpenSearch image we are using.

Most of them were found in these libraries:
usr/share/opensearch/lib/spatial4j-0.7.jar
usr/share/opensearch/plugins/opensearch-security/zjsonpatch-0.4.4.jar
usr/share/opensearch/plugins/opensearch-sql/druid-1.0.15.jar

For all these CVEs are fixes available.

What are the future plans to update such libraries? With a release cycle of approximately six weeks, an update of libraries with CVEs should be considered at least once per cycle. We have a big customer who is really worried about the high amount of open CVEs.

Best Regards