Spring4Shell vulnerability

Jonathan.Ferland · April 1, 2022, 7:37pm

A new vulnerability, called Spring4Shell his now publicly known, and while looking for it existance in OpenSearch, we founded that the SQL plugin seems to be using it. e.g. various spring files exist (such as /usr/share/opensearch/plugins/opensearch-sql/spring-core-5.2.19.RELEASE.jar)

Can you confirm if Open Search is affected by the Spring4Shell vulnerability and if yes, how should we mitigate?

Thanks,

dblock · April 1, 2022, 9:09pm

Please see [BUG] Spring RCEs (CVE-2022-22965) · Issue #2699 · opensearch-project/OpenSearch · GitHub! Let’s keep the discussion there so we don’t have too many places to track this.

kris · April 1, 2022, 9:10pm

@Jonathan.Ferland - welcome to the community and thank you for posting this!
@dblock - thanks for the quick answer and link out to the relevant GitHub issue on this!

kris · April 5, 2022, 4:57pm

moving to the Security category

Topic		Replies	Views
What happens with CVE-2022-22965? Security discuss , cve , security-issue	1	623	April 5, 2022
Log4j2 vulnerability in OpenSearch Security discuss , cve , security-issue	72	9387	January 30, 2022
OpenSearch 1.2.2 version still showing log4j Vulnerability findings Security cve , security-issue	13	945	January 10, 2022
I Geeting some vulnerability issue in opensearchproject/opensearch:2.8.0 docker Image OpenSearch releases , cve , security-issue	3	359	June 29, 2023
Does CVE-2021-44228 impact OpenSearch General Feedback cve	9	1509	December 20, 2021

Spring4Shell vulnerability

Related Topics