OpenSearch CVE Questions

Hey guys – There is this CVE published for Elasticsearch: Elasticsearch 7.13.4 Security Update - Security Announcements - Discuss the Elastic Stack

Has this CVE also been published for OpenSearch?

Is there a list of published CVEs for OpenSearch somewhere?

1 Like

Seems that is sadly not a prio topic - asked about it weeks ago

At this point in the project, I think there is room for interested parties to step up and investigate.

Keep in mind that ES will be dealing with vulnerabilities not only in the formerly Apache2 codebase, but also in their licensed (x-pack) features that are not present in OpenSearch. It isn’t clear-cut that a CVE published by ES affects OpenSearch.

Let me poke some people (also, sorry @frotsch, I should I have also responded to your thread). The CVE process was brought up in a meeting earlier this week, but I don’t personally have a lot of context.

Right - there are differences between Elasticsearch and OpenSearch. Beyond x-pack, there are different dependency versions, etc. it would require investigation to know of an ES CVE applies to OpenSearch.

@frotsch I’m sorry I missed your earlier comment. :frowning:

Thanks to both of you for bringing it up. We’re looking at it now. We also need to better about seeing these quickly, so if you have suggestions, LMK.


(PS I’m heading out of the office, but I will make sure someone stays on top of it while I’m out. I’m just letting you know in case my responses are delayed :slight_smile: )

We have verified that CVE-2021-22145 pertains to code not present in OpenSearch, or any version of Elasticsearch OSS supported by Amazon Elasticsearch Service. There is therefore no impact to OpenSearch or Amazon Elasticsearch Services from this CVE.