Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.11.0
Describe the issue:
I got a report, that the bundled node in opensearch dashboards (which seems to be 18.6.0 up to OSD v2.11.1 is vulnerable to the following CVEs (at least):
- CVE-2023-45143 (critical)
- CVE-2023-32002 (critical)
(and a few more), recommendation is to upgrade node to at least 18.18.2 to fix all those issues.
Considering that even the latest version of OSD 2.11.1 still includes node.js 18.6.0, is the node binary actually needed? What is that used for?
Also, I checked the environment, node isn’t even exectuable there since the OS is too old:
/usr/share/opensearch-dashboards/node/bin/node --version
/usr/share/opensearch-dashboards/node/bin/node: /lib64/libm.so.6: version `GLIBC_2.27' not found (required by /usr/share/opensearch-dashboards/node/bin/node)
/usr/share/opensearch-dashboards/node/bin/node: /lib64/libc.so.6: version `GLIBC_2.25' not found (required by /usr/share/opensearch-dashboards/node/bin/node)
/usr/share/opensearch-dashboards/node/bin/node: /lib64/libc.so.6: version `GLIBC_2.28' not found (required by /usr/share/opensearch-dashboards/node/bin/node)
/usr/share/opensearch-dashboards/node/bin/node: /lib64/libstdc++.so.6: version `CXXABI_1.3.9' not found (required by /usr/share/opensearch-dashboards/node/bin/node)
/usr/share/opensearch-dashboards/node/bin/node: /lib64/libstdc++.so.6: version `GLIBCXX_3.4.20' not found (required by /usr/share/opensearch-dashboards/node/bin/node)
/usr/share/opensearch-dashboards/node/bin/node: /lib64/libstdc++.so.6: version `GLIBCXX_3.4.21' not found (required by /usr/share/opensearch-dashboards/node/bin/node)
Any ideas please?