Skip to content

Fix CVE-2025-58057 #4338

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 23, 2025
Merged

Fix CVE-2025-58057 #4338

merged 4 commits into from
Oct 23, 2025

Conversation

@nathaliellenaa
Copy link
Contributor

@nathaliellenaa nathaliellenaa commented Oct 22, 2025
edited by peterzhuamazon
Loading

Description

Fix CVE-2025-58057

Force netty-codec to 4.1.125.Final

for project in opensearch-ml-algorithms opensearch-ml-client opensearch-ml-common opensearch-ml-memory opensearch-ml-plugin opensearch-ml-search-processors opensearch-ml-spi; do
  echo "=== $project ==="
  ./gradlew :$project:dependencies | grep netty-codec
done
=== opensearch-ml-algorithms ===
|    +--- io.netty:netty-codec-http:4.1.124.Final -> 4.1.125.Final
|    |    +--- io.netty:netty-codec:4.1.125.Final
|    |         \--- io.netty:netty-codec:4.1.125.Final (*)
|    +--- io.netty:netty-codec-http2:4.1.124.Final -> 4.1.125.Final
|    |    +--- io.netty:netty-codec:4.1.125.Final (*)
|    |    \--- io.netty:netty-codec-http:4.1.125.Final (*)
|    +--- io.netty:netty-codec:4.1.124.Final -> 4.1.125.Final (*)
|    |         +--- io.netty:netty-codec-http:4.1.124.Final -> 4.1.125.Final
|    |         |    +--- io.netty:netty-codec:4.1.125.Final
|    |         |         \--- io.netty:netty-codec:4.1.125.Final (*)
|    |         +--- io.netty:netty-codec-http2:4.1.124.Final -> 4.1.125.Final
|    |         |    +--- io.netty:netty-codec:4.1.125.Final (*)
|    |         |    \--- io.netty:netty-codec-http:4.1.125.Final (*)
|    |         +--- io.netty:netty-codec:4.1.124.Final -> 4.1.125.Final (*)
|    +--- io.netty:netty-codec-http:4.1.124.Final -> 4.1.125.Final
|    |    +--- io.netty:netty-codec:4.1.125.Final
|    |         \--- io.netty:netty-codec:4.1.125.Final (*)
|    +--- io.netty:netty-codec-http2:4.1.124.Final -> 4.1.125.Final
|    |    +--- io.netty:netty-codec:4.1.125.Final (*)
|    |    \--- io.netty:netty-codec-http:4.1.125.Final (*)
|    +--- io.netty:netty-codec:4.1.124.Final -> 4.1.125.Final (*)
|         +--- io.netty:netty-codec-http:4.1.124.Final -> 4.1.125.Final
|         |    +--- io.netty:netty-codec:4.1.125.Final
|         |         \--- io.netty:netty-codec:4.1.125.Final (*)
|         +--- io.netty:netty-codec-http2:4.1.124.Final -> 4.1.125.Final
|         |    +--- io.netty:netty-codec:4.1.125.Final (*)
|         |    \--- io.netty:netty-codec-http:4.1.125.Final (*)
|         +--- io.netty:netty-codec:4.1.124.Final -> 4.1.125.Final (*)
=== opensearch-ml-client ===
=== opensearch-ml-common ===
|    +--- io.netty:netty-codec-http:4.1.124.Final -> 4.1.125.Final
|    |    +--- io.netty:netty-codec:4.1.125.Final
|    |         \--- io.netty:netty-codec:4.1.125.Final (*)
|    +--- io.netty:netty-codec-http2:4.1.124.Final -> 4.1.125.Final
|    |    +--- io.netty:netty-codec:4.1.125.Final (*)
|    |    \--- io.netty:netty-codec-http:4.1.125.Final (*)
|    +--- io.netty:netty-codec:4.1.124.Final -> 4.1.125.Final (*)
|    +--- io.netty:netty-codec-http:4.1.124.Final -> 4.1.125.Final
|    |    +--- io.netty:netty-codec:4.1.125.Final
|    |         \--- io.netty:netty-codec:4.1.125.Final (*)
|    +--- io.netty:netty-codec-http2:4.1.124.Final -> 4.1.125.Final
|    |    +--- io.netty:netty-codec:4.1.125.Final (*)
|    |    \--- io.netty:netty-codec-http:4.1.125.Final (*)
|    +--- io.netty:netty-codec:4.1.124.Final -> 4.1.125.Final (*)
|    +--- io.netty:netty-codec-http:4.1.124.Final -> 4.1.125.Final
|    |    +--- io.netty:netty-codec:4.1.125.Final
|    |         \--- io.netty:netty-codec:4.1.125.Final (*)
|    +--- io.netty:netty-codec-http2:4.1.124.Final -> 4.1.125.Final
|    |    +--- io.netty:netty-codec:4.1.125.Final (*)
|    |    \--- io.netty:netty-codec-http:4.1.125.Final (*)
|    +--- io.netty:netty-codec:4.1.124.Final -> 4.1.125.Final (*)
=== opensearch-ml-memory ===
=== opensearch-ml-plugin ===
|    |    |         +--- io.netty:netty-codec-http:4.1.124.Final -> 4.1.125.Final
|    |    |         |    +--- io.netty:netty-codec:4.1.125.Final
|    |    |         +--- io.netty:netty-codec-http2:4.1.124.Final -> 4.1.125.Final
|    |    |         |    +--- io.netty:netty-codec:4.1.125.Final (*)
|    |    |         |    \--- io.netty:netty-codec-http:4.1.125.Final (*)
|    |    |         +--- io.netty:netty-codec:4.1.124.Final -> 4.1.125.Final (*)
|    |    |         +--- io.netty:netty-codec-http:4.1.124.Final -> 4.1.125.Final
|    |    |         |    +--- io.netty:netty-codec:4.1.125.Final
|    |    |         +--- io.netty:netty-codec-http2:4.1.124.Final -> 4.1.125.Final
|    |    |         |    +--- io.netty:netty-codec:4.1.125.Final (*)
|    |    |         |    \--- io.netty:netty-codec-http:4.1.125.Final (*)
|    |    |         +--- io.netty:netty-codec:4.1.124.Final -> 4.1.125.Final (*)
=== opensearch-ml-search-processors ===
=== opensearch-ml-spi ===

Couldn't find dependency insight for netty-codec-compression

for project in opensearch-ml-algorithms opensearch-ml-client opensearch-ml-common opensearch-ml-memory opensearch-ml-plugin opensearch-ml-search-processors opensearch-ml-spi; do
  echo "=== $project ==="
  ./gradlew :$project:dependencies | grep netty-codec-compression
done

=== opensearch-ml-algorithms ===
=== opensearch-ml-client ===
=== opensearch-ml-common ===
=== opensearch-ml-memory ===
=== opensearch-ml-plugin ===
=== opensearch-ml-search-processors ===
=== opensearch-ml-spi ===

Related Issues

Resolves #[Issue number to be closed when this PR is merged]

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@nathaliellenaa nathaliellenaa had a problem deploying to ml-commons-cicd-env-require-approval October 22, 2025 22:55 — with GitHub Actions Failure
@nathaliellenaa nathaliellenaa had a problem deploying to ml-commons-cicd-env-require-approval October 22, 2025 22:55 — with GitHub Actions Error
@nathaliellenaa nathaliellenaa had a problem deploying to ml-commons-cicd-env-require-approval October 22, 2025 22:55 — with GitHub Actions Error
@nathaliellenaa nathaliellenaa had a problem deploying to ml-commons-cicd-env-require-approval October 22, 2025 22:55 — with GitHub Actions Failure
@nathaliellenaa nathaliellenaa requested a deployment to ml-commons-cicd-env-require-approval October 22, 2025 23:57 — with GitHub Actions Waiting
@nathaliellenaa nathaliellenaa requested a deployment to ml-commons-cicd-env-require-approval October 22, 2025 23:57 — with GitHub Actions Waiting
@nathaliellenaa nathaliellenaa requested a deployment to ml-commons-cicd-env-require-approval October 22, 2025 23:57 — with GitHub Actions Waiting
@nathaliellenaa nathaliellenaa requested a deployment to ml-commons-cicd-env-require-approval October 22, 2025 23:57 — with GitHub Actions Waiting
@brianf-aws
Copy link
Contributor

brianf-aws commented Oct 23, 2025

Nice helper script ;)

You can make the changes on the root of the build file like this

7c49706

which will iterate over the subprojects opensearch-ml-algorithms opensearch-ml-client opensearch-ml-common opensearch-ml-memory opensearch-ml-plugin opensearch-ml-search-processors opensearch-ml-spi

That way we dont have to wackamole the build file in each subproject

@nathaliellenaa
Copy link
Contributor Author

nathaliellenaa commented Oct 23, 2025

Nice helper script ;)

You can make the changes on the root of the build file like this

7c49706

which will iterate over the subprojects opensearch-ml-algorithms opensearch-ml-client opensearch-ml-common opensearch-ml-memory opensearch-ml-plugin opensearch-ml-search-processors opensearch-ml-spi

That way we dont have to wackamole the build file in each subproject

Good suggestion! I will apply this

@nathaliellenaa nathaliellenaa temporarily deployed to ml-commons-cicd-env-require-approval October 23, 2025 00:23 — with GitHub Actions Inactive
@nathaliellenaa nathaliellenaa temporarily deployed to ml-commons-cicd-env-require-approval October 23, 2025 00:23 — with GitHub Actions Inactive
@nathaliellenaa nathaliellenaa temporarily deployed to ml-commons-cicd-env-require-approval October 23, 2025 00:23 — with GitHub Actions Inactive
@nathaliellenaa nathaliellenaa temporarily deployed to ml-commons-cicd-env-require-approval October 23, 2025 00:23 — with GitHub Actions Inactive
dhrubo-os
dhrubo-os reviewed Oct 23, 2025
View reviewed changes
build.gradle Outdated
// Force spotless depending on newer version of guava due to CVE-2023-2976. Remove after spotless upgrades.
resolutionStrategy.force "com.google.guava:guava:32.1.3-jre"
resolutionStrategy.force 'org.apache.commons:commons-compress:1.26.0'
resolutionStrategy.force 'io.netty:netty-buffer:4.1.125.Final'
Copy link
Collaborator

@dhrubo-os dhrubo-os Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we really using all these?

Copy link
Contributor Author

@nathaliellenaa nathaliellenaa Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to include those netty modules, otherwise the build will fail

@peterzhuamazon peterzhuamazon mentioned this pull request Oct 23, 2025
Closed
65 tasks
@nathaliellenaa nathaliellenaa had a problem deploying to ml-commons-cicd-env-require-approval October 23, 2025 17:41 — with GitHub Actions Failure
@nathaliellenaa nathaliellenaa had a problem deploying to ml-commons-cicd-env-require-approval October 23, 2025 17:41 — with GitHub Actions Error
@nathaliellenaa nathaliellenaa requested a deployment to ml-commons-cicd-env-require-approval October 23, 2025 21:39 — with GitHub Actions Waiting
@nathaliellenaa nathaliellenaa requested a deployment to ml-commons-cicd-env-require-approval October 23, 2025 21:39 — with GitHub Actions Waiting
@nathaliellenaa nathaliellenaa requested a deployment to ml-commons-cicd-env-require-approval October 23, 2025 21:39 — with GitHub Actions Waiting
@nathaliellenaa nathaliellenaa requested a deployment to ml-commons-cicd-env-require-approval October 23, 2025 21:39 — with GitHub Actions Waiting
@nathaliellenaa
fix cve
241f0c5 
Signed-off-by: Nathalie Jonathan <nathhjo@amazon.com>
@nathaliellenaa
Force version for other netty modules
801daf5 
Signed-off-by: Nathalie Jonathan <nathhjo@amazon.com>
@nathaliellenaa
Apply suggestion
ac7a429 
Signed-off-by: Nathalie Jonathan <nathhjo@amazon.com>
@nathaliellenaa
Use versions.netty
1753f60 
Signed-off-by: Nathalie Jonathan <nathhjo@amazon.com>
@nathaliellenaa nathaliellenaa temporarily deployed to ml-commons-cicd-env-require-approval October 23, 2025 21:49 — with GitHub Actions Inactive
@nathaliellenaa nathaliellenaa temporarily deployed to ml-commons-cicd-env-require-approval October 23, 2025 21:49 — with GitHub Actions Inactive
@nathaliellenaa nathaliellenaa temporarily deployed to ml-commons-cicd-env-require-approval October 23, 2025 21:49 — with GitHub Actions Inactive
@nathaliellenaa nathaliellenaa temporarily deployed to ml-commons-cicd-env-require-approval October 23, 2025 21:49 — with GitHub Actions Inactive
@brianf-aws brianf-aws mentioned this pull request Oct 23, 2025
Open
5 tasks
@peterzhuamazon peterzhuamazon mentioned this pull request Oct 23, 2025
Merged
@nathaliellenaa nathaliellenaa had a problem deploying to ml-commons-cicd-env-require-approval October 23, 2025 23:02 — with GitHub Actions Failure
@nathaliellenaa nathaliellenaa had a problem deploying to ml-commons-cicd-env-require-approval October 23, 2025 23:02 — with GitHub Actions Error
@dhrubo-os dhrubo-os merged commit eec7179 into opensearch-project:main Oct 23, 2025
10 of 13 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Oct 23, 2025
@nathaliellenaa @github-actions
Fix CVE-2025-58057 (#4338)
83317e1 
* fix cve

Signed-off-by: Nathalie Jonathan <nathhjo@amazon.com>

* Force version for other netty modules

Signed-off-by: Nathalie Jonathan <nathhjo@amazon.com>

* Apply suggestion

Signed-off-by: Nathalie Jonathan <nathhjo@amazon.com>

* Use versions.netty

Signed-off-by: Nathalie Jonathan <nathhjo@amazon.com>

---------

Signed-off-by: Nathalie Jonathan <nathhjo@amazon.com>
(cherry picked from commit eec7179)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Oct 23, 2025
Merged
peterzhuamazon pushed a commit that referenced this pull request Oct 24, 2025
@opensearch-trigger-bot @nathaliellenaa
Fix CVE-2025-58057 (#4338) (#4343)
592a193 
* fix cve



* Force version for other netty modules



* Apply suggestion



* Use versions.netty



---------


(cherry picked from commit eec7179)

Signed-off-by: Nathalie Jonathan <nathhjo@amazon.com>
Co-authored-by: Nathalie Jonathan <143617992+nathaliellenaa@users.noreply.github.com>
@brianf-aws brianf-aws mentioned this pull request Oct 24, 2025
Closed
@peterzhuamazon peterzhuamazon mentioned this pull request Nov 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhrubo-os dhrubo-os dhrubo-os approved these changes

@pyek-bot pyek-bot pyek-bot approved these changes

@b4sjoo b4sjoo Awaiting requested review from b4sjoo b4sjoo is a code owner

@mingshl mingshl Awaiting requested review from mingshl mingshl is a code owner

@jngz-es jngz-es Awaiting requested review from jngz-es jngz-es is a code owner

@model-collapse model-collapse Awaiting requested review from model-collapse model-collapse is a code owner

@rbhavna rbhavna Awaiting requested review from rbhavna rbhavna is a code owner

@ylwu-amzn ylwu-amzn Awaiting requested review from ylwu-amzn ylwu-amzn is a code owner

@zane-neo zane-neo Awaiting requested review from zane-neo zane-neo is a code owner

@Zhangxunmt Zhangxunmt Awaiting requested review from Zhangxunmt Zhangxunmt is a code owner

@austintlee austintlee Awaiting requested review from austintlee austintlee is a code owner

@HenryL27 HenryL27 Awaiting requested review from HenryL27 HenryL27 is a code owner

@sam-herman sam-herman Awaiting requested review from sam-herman sam-herman is a code owner

@xinyual xinyual Awaiting requested review from xinyual xinyual is a code owner

+2 more reviewers

@jiapingzeng jiapingzeng jiapingzeng approved these changes

@brianf-aws brianf-aws brianf-aws approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport 3.3

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@nathaliellenaa @brianf-aws @dhrubo-os @jiapingzeng @pyek-bot @peterzhuamazon