Vulnerability: CVE-2022-42003 & CVE-2022-42889 in opensearchproject/opensearch:1.3.6

[jefftyn]

Describe the bug

Hi team,

In our trivy scan report there are 1 HIGH and 1 CRITICAL vulnerabilities in opensearchproject/opensearch:1.3.6.
Is there any plan to upgrade the version of libs to fix them? Thanks.

Library	Vulnerability	Severity	Installed Version	Fixed Version	Title
com.fasterxml.jackson.core:jackson-databind(jackson-databind-2.13.2.2.jar)	CVE-2022-42003	HIGH	2.13.2.2	2.12.7.1, 2.13.4.1	jackson-databind: deep wrapper array nesting wrt(jackson-databind-2.13.2.2.jar) UNWRAP_SINGLE_VALUE_ARRAYS https://avd.aquasec.com/nvd/cve-2022-42003
org.apache.commons:commons-text (commons-text-1.9.jar)	CVE-2022-42889	CRITICAL	1.9	1.10.0	apache-commons-text: variable interpolation RCE https://avd.aquasec.com/nvd/cve-2022-42889

[reta]

@jefftyn the CVEs have been addressed already:

• [Backport 1.3] Update Jackson Databind to 2.13.4.2 (addressing CVE-2022-42003) (#4779) #4785
• backport: Address CVE-2022-42889 by updating commons-text ml-commons#520
• [Backport 2.x] Address CVE-2022-42889 by updating commons-text security#2186

[andrross]

@jefftyn The next 1.3 release is scheduled for December 8 and will include these fixes

[anasalkouz]

Closing this, since they are already fixed and will be pushed on next release.

[colmaengus]

When is the next release due? Our security folks are starting to complain.

[reta]

@colmaengus https://opensearch.org/releases.html