OpenSearch and Updated nss fix CVE-2021-43527

Hello there,
As i see now, Opensearch v1.2 was released on 23.nov.2021. However Amazon issued a security fix CVE-2021-43527 on

[1.Dec.2021]. Amazon Linux 2 Release Note

Since opensearch uses this image as base, just wondering if opensearch v1.2 has that fix available or it will be included later?

will there be a patch or v1.3 for opensearch in the near future?

hey @guhan!

Thanks for bringing that up. I pushed this to the launch team and they’re working on how to get the fix to the community.

2 Likes

this brings up a general question: is there a policy in place on how to handle security updates? both for libraries used by the software (i.e. also affecting binary downloads or even maven artifacts) as well as components of the docker images?

i can see two options:

  • you have an update-test-and-release-ASAP strategy (i.e. CVE pops up, dependabot (which i believe wasn’t properly enabled with OpenSearch#664 because i’ve never seen any PR from dependabot on any of your repos - probably something to look into again?)) creates a PR, you merge it, you create a fix release of the affected things) on all supported releases (whichever those are?)
  • you analyse the CVE and publish a documentation confirming that the CVE has no impact on opensearch / users of opensearch and that an update is thus not needed as a hotfix (can e.g. be done if an update is more complicated than the analysis)

@ralph There is actually some working going on with this. The project uses whitesource but there is some thoughts on using dependabot. You can find a relevant discussion in this issue

1 Like

@searchymcsearchface ,

thanks for the update, looks like 1.2.1 released but it only fixed log4j issue. (Not NSS issue)
What is the best way to create our own custom openearch image with 1.2.1 as base and update with appropriate NSS package 3.67.xxx

Humm. I was told that the NSS issue was solved with 1.2.1. Can you expand a bit why you think the NSS issues is not solved?

Hi @guhan, OpenSearch 1.2.1 does indeed include a fix for CVE-2021-4352 (see the release notes).

@ralph Yes, we update dependencies to pick up security fixes, as well as fix any known issues in the project code, with every new release. If an issue like the Log4j2 one shows up that warrants immediate attention, we don’t wait for the next scheduled release, and instead issue a patch release right away.

2 Likes

Great, thanks @searchymcsearchface for the update

@searchymcsearchface , out of curiosity, is opensearch-dashboard version also updated to 1.2.1 with fixes available

@guhan let me check on that. I know the team is a bit turned around with the Log4j fun, but it’s a good point.

OpenSearch-Dashboards docker image has been redeployed to fix [CVE-2021-43527].

1 Like