Skip to content

fix CVE-2025-55163, CVE-2025-48924 #4298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: create-pull-request/2.19.4-SNAPSHOT
Choose a base branch
from
Open

fix CVE-2025-55163, CVE-2025-48924 #4298

wants to merge 3 commits into from
+7 −1

Conversation

brianf-aws
Copy link
Contributor

@brianf-aws brianf-aws commented Oct 10, 2025
edited
Loading

Description

Fix CVEs CVE-2025-55163, CVE-2025-48924

Addresses #4143

./gradlew test 

BUILD SUCCESSFUL in 2m 51s
47 actionable tasks: 47 executed

 find plugin/build/distributions/opensearch-ml-2.19.4.0-SNAPSHOT -name "*netty-codec-http*" -type f 


plugin/build/distributions/opensearch-ml-2.19.4.0-SNAPSHOT/netty-codec-http2-4.2.4.Final.jar
plugin/build/distributions/opensearch-ml-2.19.4.0-SNAPSHOT/netty-codec-http-4.2.4.Final.jar

 find plugin/build/distributions/opensearch-ml-2.19.4.0-SNAPSHOT -name "*commons-lang3*" -type f

plugin/build/distributions/opensearch-ml-2.19.4.0-SNAPSHOT/commons-lang3-3.18.0.jar

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:00 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:00 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:00 — with GitHub Actions Failure
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:00 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:00 — with GitHub Actions Failure
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:00 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:16 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:16 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:16 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:16 — with GitHub Actions Failure
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:16 — with GitHub Actions Error
@brianf-aws brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 11, 2025 00:16 — with GitHub Actions Failure
@dbwiddis
Copy link
Member

These shouldn't be necessary if you use the version catalog.

I just went through and updated all the OpenSearch CVE versions, between opensearch-project/OpenSearch#19155 and https://github.com/opensearch-project/OpenSearch/pulls?q=is%3Aopen+is%3Apr+author%3Adbwiddis+label%3ACVE most should be handled.

dbwiddis
dbwiddis reviewed Oct 12, 2025
View reviewed changes
@brianf-aws
Copy link
Contributor Author

Taking a look again, was dragged into other tasks

@brianf-aws brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 21, 2025 23:40 — with GitHub Actions Waiting
@brianf-aws brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 21, 2025 23:40 — with GitHub Actions Waiting
@brianf-aws brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 21, 2025 23:40 — with GitHub Actions Waiting
@brianf-aws brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 21, 2025 23:40 — with GitHub Actions Waiting
@brianf-aws brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 21, 2025 23:40 — with GitHub Actions Waiting
@brianf-aws brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 21, 2025 23:40 — with GitHub Actions Waiting
@brianf-aws
Copy link
Contributor Author

brianf-aws commented Oct 22, 2025
edited
Loading

The mend security port is saying commlang3.version != 3.18.0

 ./gradlew :opensearch-ml-plugin:dependencies --configuration runtimeClasspath | grep commons-lang3

|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    |    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    +--- org.apache.commons:commons-lang3:3.18.0
+--- org.apache.commons:commons-lang3:3.18.0

and if I look at the snapshot unzipped I don't see the commons-lang3 as a different version

% pwd
/Users/iflorbri/IdeaProjects/ml-commons/plugin/build/distributions/opensearch-ml-2.19.4.0-SNAPSHOT
opensearch-ml-2.19.4.0-SNAPSHOT % find ./ -name "*commons-lang3*" -type f                                                        

./commons-lang3-3.18.0.jar

@gaiksaya can you give any advice? Do you think its a problem with security Mend?

@gaiksaya
Copy link
Member

@gaiksaya can you give any advice? Do you think its a problem with security Mend?

Looks like the dependency is marked transitive in mend failure: https://github.com/opensearch-project/ml-commons/pull/4298/checks?check_run_id=53328647583
You can try to see by ./gradlew dependencies | grep commons-lang3

@brianf-aws
Copy link
Contributor Author

Thanks @gaiksaya

I see now, will make appropriate edits

 for project in opensearch-ml-algorithms opensearch-ml-client opensearch-ml-common opensearch-ml-memory opensearch-ml-plugin opensearch-ml-search-processors opensearch-ml-spi; do
  echo "=== $project ==="
  ./gradlew :$project:dependencies | grep commons-lang3
done

=== opensearch-ml-algorithms ===
|    \--- org.apache.commons:commons-lang3:3.13.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.13.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.13.0
|    \--- org.apache.commons:commons-lang3:3.13.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.13.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.13.0
|    \--- org.apache.commons:commons-lang3:3.13.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.13.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.13.0
|    \--- org.apache.commons:commons-lang3:3.13.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.13.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.13.0
=== opensearch-ml-client ===
=== opensearch-ml-common ===
|    \--- org.apache.commons:commons-lang3:3.12.0
|    \--- org.apache.commons:commons-lang3:3.12.0
|    \--- org.apache.commons:commons-lang3:3.12.0
=== opensearch-ml-memory ===
=== opensearch-ml-plugin ===
+--- org.apache.commons:commons-lang3:3.18.0
+--- org.apache.commons:commons-lang3:3.18.0 (n)
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    |    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    +--- org.apache.commons:commons-lang3:3.18.0
+--- org.apache.commons:commons-lang3:3.18.0
+--- org.apache.commons:commons-lang3:3.18.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    |    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    +--- org.apache.commons:commons-lang3:3.18.0
+--- org.apache.commons:commons-lang3:3.18.0
=== opensearch-ml-search-processors ===
+--- org.apache.commons:commons-lang3:3.18.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
+--- org.apache.commons:commons-lang3:3.18.0 (n)
+--- org.apache.commons:commons-lang3:3.18.0
     \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
+--- org.apache.commons:commons-lang3:3.18.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
+--- org.apache.commons:commons-lang3:3.18.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
=== opensearch-ml-spi ===

@brianf-aws
Copy link
Contributor Author

Current commit changes show common lang dependencies to use lang3 3.18.0

 for project in opensearch-ml-algorithms opensearch-ml-client opensearch-ml-common opensearch-ml-memory opensearch-ml-plugin opensearch-ml-search-processors opensearch-ml-spi; do
  echo "=== $project ==="
  ./gradlew :$project:dependencies | grep commons-lang3
done
=== opensearch-ml-algorithms ===
|    \--- org.apache.commons:commons-lang3:3.13.0 -> 3.18.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    \--- org.apache.commons:commons-lang3:3.13.0 -> 3.18.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    \--- org.apache.commons:commons-lang3:3.13.0 -> 3.18.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    \--- org.apache.commons:commons-lang3:3.13.0 -> 3.18.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
=== opensearch-ml-client ===
=== opensearch-ml-common ===
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
=== opensearch-ml-memory ===
=== opensearch-ml-plugin ===
+--- org.apache.commons:commons-lang3:3.18.0
+--- org.apache.commons:commons-lang3:3.18.0 (n)
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    |    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    +--- org.apache.commons:commons-lang3:3.18.0
+--- org.apache.commons:commons-lang3:3.18.0
+--- org.apache.commons:commons-lang3:3.18.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    |    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    |    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
|    +--- org.apache.commons:commons-lang3:3.18.0
+--- org.apache.commons:commons-lang3:3.18.0
=== opensearch-ml-search-processors ===
+--- org.apache.commons:commons-lang3:3.18.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
+--- org.apache.commons:commons-lang3:3.18.0 (n)
+--- org.apache.commons:commons-lang3:3.18.0
     \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
+--- org.apache.commons:commons-lang3:3.18.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
+--- org.apache.commons:commons-lang3:3.18.0
|    \--- org.apache.commons:commons-lang3:3.12.0 -> 3.18.0
=== opensearch-ml-spi ===

will monitor the mend

@brianf-aws brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 22, 2025 21:40 — with GitHub Actions In progress
@brianf-aws brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 22, 2025 21:40 — with GitHub Actions In progress
@brianf-aws brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 22, 2025 21:40 — with GitHub Actions In progress
@brianf-aws brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 22, 2025 21:40 — with GitHub Actions In progress
@brianf-aws brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 22, 2025 21:40 — with GitHub Actions In progress
@brianf-aws brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 22, 2025 21:40 — with GitHub Actions In progress
@brianf-aws
Copy link
Contributor Author

[Mend Security Check] has passed now

@gaiksaya
Copy link
Member

will monitor the mend

Looks like it went through @brianf-aws 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gaiksaya gaiksaya gaiksaya left review comments

@b4sjoo b4sjoo Awaiting requested review from b4sjoo b4sjoo is a code owner

@dhrubo-os dhrubo-os Awaiting requested review from dhrubo-os dhrubo-os is a code owner

@mingshl mingshl Awaiting requested review from mingshl mingshl is a code owner

@jngz-es jngz-es Awaiting requested review from jngz-es jngz-es is a code owner

@model-collapse model-collapse Awaiting requested review from model-collapse model-collapse is a code owner

@rbhavna rbhavna Awaiting requested review from rbhavna rbhavna is a code owner

@ylwu-amzn ylwu-amzn Awaiting requested review from ylwu-amzn ylwu-amzn is a code owner

@zane-neo zane-neo Awaiting requested review from zane-neo zane-neo is a code owner

@Zhangxunmt Zhangxunmt Awaiting requested review from Zhangxunmt Zhangxunmt is a code owner

@austintlee austintlee Awaiting requested review from austintlee austintlee is a code owner

@HenryL27 HenryL27 Awaiting requested review from HenryL27 HenryL27 is a code owner

@xinyual xinyual Awaiting requested review from xinyual xinyual is a code owner

+1 more reviewer

@dbwiddis dbwiddis dbwiddis left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@brianf-aws @dbwiddis @gaiksaya