Text4Shell CVE (CVE-2022-42889) detected in OpenSearch

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Hi,
I am using OpenSearch version 2.2.1 on docker container on a linux RHEL host.

Describe the issue:

Recently our security team identified ‘Apache Commons Arbitrary Code Execution (ACE) Vulnerability (Text4Shell) (CVE-2022-42889)’ vulnerability on our servers.
We have deployed OpenSearch docker container on our servers.

The path identified is : /data/docker/overlay2/5977c4e1e082e64d0eca31a31e08a613fb5f4b0894963bd6c8b216f1c8833446/diff/usr/share/opensearch/plugins/opensearch-ml/commons-text-1.9.jar
/data/docker/overlay2/8e9f14e657694085ea6a1c3376f3478d8b5fc5bbd730308a4a30aa43e177bb7e/diff/usr/share/opensearch/plugins/opensearch-ml/commons-text-1.9.jar

Configuration:

Relevant Logs or Screenshots:
Is this vulnerability affecting OpenSearch? Can it be exploited?
How can we resolve this issue?

On docker hub ‘Docker Hub’ it is displayed as ‘Not scanned for Log4Shell / Text4Shell’ for all the images.

if you search in the forum for CVE-2022-42889 you’ll find this post which will answer your questions:

2 Likes