Spring4Shell vulnerability

A new vulnerability, called Spring4Shell his now publicly known, and while looking for it existance in OpenSearch, we founded that the SQL plugin seems to be using it. e.g. various spring files exist (such as /usr/share/opensearch/plugins/opensearch-sql/spring-core-5.2.19.RELEASE.jar)

Can you confirm if Open Search is affected by the Spring4Shell vulnerability and if yes, how should we mitigate?


1 Like

Please see [BUG] Spring RCEs (CVE-2022-22965) · Issue #2699 · opensearch-project/OpenSearch · GitHub! Let’s keep the discussion there so we don’t have too many places to track this.


@Jonathan.Ferland - welcome to the community and thank you for posting this!
@dblock - thanks for the quick answer and link out to the relevant GitHub issue on this!

moving to the Security category