CVE-2022-42889 - is OpenSearch vulnerable?

[Ayril]

CVE-2022-42889 has recently been published. The opensearch-ml plugin includes the vulnerable commons-text:1.9 JAR:

+--- project :opensearch-ml-algorithms
|    +--- org.tribuo:tribuo-clustering-kmeans:4.2.1
|    |    +--- org.tribuo:tribuo-data:4.2.1
|    |    |    \--- com.opencsv:opencsv:5.4
|    |    |         +--- org.apache.commons:commons-text:1.9

(example dependency tree from OpenSearch 1.3.6)

Unfortunately the latest opencsv version is still using commons-text:1.9 so upstream dependencies can not (yet) easily be patched with just a version bump. A patch for opencsv has been requested with a comment noting that it does not use the string interpolation feature of commons-text.

It would be great if the OpenSearch team could:

1. Release a statement about the impact of CVE-2022-42889 on OpenSearch
2. Patch OpenSearch to not use the vulnerable JAR when possible

[Craigacp]

ML commons doesn't use anything from tribuo-data which is only a dependency of tribuo-clustering-kmeans to provide a simple CLI for getting started. So one solution to this is to exclude tribuo-data from the ML commons build.

[Zhangxunmt]

Another way should be just updating commons-text. It may be possible ml-common will support loading csv data inputs, which depends on CSVLoad in tribuo-data.

[ylwu-amzn]

@Craigacp Do you have plan to fix this CVE in tribuo ? We are using 4.2.1, if some newer version fixed this CVE, we can bump tribuo version.

[Craigacp]

We released 4.3.0 two weeks ago, but it doesn't pin to the new commons-text as the CVE wasn't available. We can make a 4.2.2 (and 4.3.1) that bumps the dependencies of commons text and jackson to the new versions, but there isn't anything else to go in it, and overriding those versions in your gradle yourself should be a sufficient fix for ml commons.

[ylwu-amzn]

Thanks, we will override the version for now.