Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

OpenSearch fixing Elasticsearch XSS, DoS, Missing Authorization, Information Exposure

Description

mod-search uses Elasticsearch 7.10.2 client.

Elasticsearch 7.10.2 (org.elasticsearch:elasticsearch@7.10.2 and org.elasticsearch.client:elasticsearch-rest-high-level-client@7.10.2) has these vulnerabilities:

Upgrading to a more recent Elasticsearch client fixes these issues but is not available under Apache 2.0 license, see .

Consider switching from Elasticsearch client to Opensearch client that continues to be released under Apache 2.0 license: https://opensearch.org/

Environment

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Pavlo Smahin June 1, 2022 at 12:49 PM

After the latest research, it seems to be possible to migrate to OpenSearch.

, could we move the issue higher in the Spitfire backlog to continue working on it?

Craig McNally May 19, 2022 at 3:10 PM

can you please chime in on whether or not it's possible to switch to the opensearch client, and if not, why?

cc

Julian Ladisch May 12, 2022 at 2:43 PM

: Whether a Lotus hotfix is needed depends on the risk. Is mod-search affected by the vulnerabilities? The folio-security-group cannot answer this question, this needs to be investigated by mod-search developers.

Khalilah Gambrell May 12, 2022 at 2:18 PM

is evaluating options since " switching from Elasticsearch client to Opensearch client" is not possible.

Khalilah Gambrell May 10, 2022 at 1:48 PM

- should we include in Lotus Hotfix?

Done

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Spitfire

Fix versions

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created May 4, 2022 at 10:13 AM
Updated July 6, 2022 at 3:51 PM
Resolved June 10, 2022 at 1:12 PM
Configure
TestRail: Cases
TestRail: Runs