[BUG] Spring RCEs (CVE-2022-22965)

[sandervandegeijn]

Describe the bug
On the opensearch website, newest version: 1.3.1
Docker hub: 1.3.1
!! Github 1.3.0

Can't find the release notes, is this release because of the Spring RCE bugs? The ambiguous communicatie combined with the impact of the vulnerabilities makes me unsure if I should upgrade asap or if the release is about something else.

Expected behavior
Versions are consistent on website, github, docker, etc and there are changenotes and a news item on the website on the focus of the release.

[sandervandegeijn]

Trivy report, reports more vulns:

[sandervandegeijn]

Trivy on 1.3.1, it's not happy, not sure if it's false positive:

[dblock]

Looks like we've tagged all repos with 1.3.1 correctly, but didn't make a "release" on GitHub, for now I've commented in opensearch-project/opensearch-build#1805 (comment), but it is likely a new issue with our release process. Either way it shouldn't be a big problem in itself.

Editing this issue to be RCE-related only.

Release notes in https://github.com/opensearch-project/opensearch-build/blob/main/release-notes/opensearch-release-notes-1.3.1.md, but no mention of spring RCE.

[sandervandegeijn]

Can we confirm that Opensearch is not affected by the vulns found by Trivy and that those are indeed false positive?

[dblock]

Can we confirm that Opensearch is not affected by the vulns found by Trivy and that those are indeed false positive?

Will have someone take a look ASAP.

[dblock]

For jackson-databind I see #2599 that went into 2.0 (#2597), but it wasn't backported into 1.x/1.3, let's get a definitive statement on whether that vulnerability affects OpenSearch or not.

[sandervandegeijn]

yes, already did, see 3rd post, second screenshot :)

[dblock]

yes, already did, see 3rd post, second screenshot :)

Yes, I saw that and deleted my comment. Thx