OpenSearch and Updated nss fix CVE-2021-43527

guhan · December 8, 2021, 11:50am

Hello there,
As i see now, Opensearch v1.2 was released on 23.nov.2021. However Amazon issued a security fix CVE-2021-43527 on

[1.Dec.2021]. Amazon Linux 2 release notes - Amazon Linux 2

Since opensearch uses this image as base, just wondering if opensearch v1.2 has that fix available or it will be included later?

will there be a patch or v1.3 for opensearch in the near future?

searchymcsearchface · December 8, 2021, 6:37pm

hey @guhan!

Thanks for bringing that up. I pushed this to the launch team and they’re working on how to get the fix to the community.

ralph · December 9, 2021, 11:43am

this brings up a general question: is there a policy in place on how to handle security updates? both for libraries used by the software (i.e. also affecting binary downloads or even maven artifacts) as well as components of the docker images?

i can see two options:

you have an update-test-and-release-ASAP strategy (i.e. CVE pops up, dependabot (which i believe wasn’t properly enabled with OpenSearch#664 because i’ve never seen any PR from dependabot on any of your repos - probably something to look into again?)) creates a PR, you merge it, you create a fix release of the affected things) on all supported releases (whichever those are?)
you analyse the CVE and publish a documentation confirming that the CVE has no impact on opensearch / users of opensearch and that an update is thus not needed as a hotfix (can e.g. be done if an update is more complicated than the analysis)

searchymcsearchface · December 9, 2021, 5:38pm

@ralph There is actually some working going on with this. The project uses whitesource but there is some thoughts on using dependabot. You can find a relevant discussion in this issue

guhan · December 13, 2021, 7:04am

@searchymcsearchface ,

thanks for the update, looks like 1.2.1 released but it only fixed log4j issue. (Not NSS issue)
What is the best way to create our own custom openearch image with 1.2.1 as base and update with appropriate NSS package 3.67.xxx

searchymcsearchface · December 13, 2021, 3:02pm

Humm. I was told that the NSS issue was solved with 1.2.1. Can you expand a bit why you think the NSS issues is not solved?

JulesGraybill · December 13, 2021, 3:17pm

Hi @guhan, OpenSearch 1.2.1 does indeed include a fix for CVE-2021-4352 (see the release notes).

@ralph Yes, we update dependencies to pick up security fixes, as well as fix any known issues in the project code, with every new release. If an issue like the Log4j2 one shows up that warrants immediate attention, we don’t wait for the next scheduled release, and instead issue a patch release right away.

guhan · December 15, 2021, 6:24am

Great, thanks @searchymcsearchface for the update

guhan · December 15, 2021, 8:34am

@searchymcsearchface , out of curiosity, is opensearch-dashboard version also updated to 1.2.1 with fixes available

searchymcsearchface · December 15, 2021, 2:04pm

@guhan let me check on that. I know the team is a bit turned around with the Log4j fun, but it’s a good point.

ZelinH · December 16, 2021, 12:32am

OpenSearch-Dashboards docker image has been redeployed to fix [CVE-2021-43527].

Topic		Replies	Views
Addressing CVEs in OpenSearch Helm images? Security cve , security-issue	2	452	July 29, 2022
Log4j Patch for CVE-2021-44228 Announcements cve	6	13415	February 15, 2023
OpenSearch 1.2.2 version still showing log4j Vulnerability findings Security cve , security-issue	13	1083	January 10, 2022
OpenSearch CVE Questions General Feedback cve , security-issue	6	1197	August 30, 2021
Does CVE-2021-44228 impact OpenSearch General Feedback cve	9	1665	December 20, 2021

OpenSearch and Updated nss fix CVE-2021-43527

Related topics