fix CVE-2025-55163, CVE-2025-48924 (opensearch-project#4298)

* address commons-lang3 CVE-2025-48924

Signed-off-by: Brian Flores <[email protected]>

* pin netty to 4.2.5.Final version address  CVE-2025-55163

Signed-off-by: Brian Flores <[email protected]>

* force all subProjects to use updated common-lang3 version

Signed-off-by: Brian Flores <[email protected]>

---------

Signed-off-by: Brian Flores <[email protected]>

Author: brianf-aws

build.gradle

@@ -71,6 +71,7 @@ allprojects {
 
 }
 
+
 subprojects {
     configurations {
         testImplementation.extendsFrom compileOnly
@@ -80,6 +81,8 @@ subprojects {
         // Force spotless depending on newer version of guava due to CVE-2023-2976. Remove after spotless upgrades.
         resolutionStrategy.force "com.google.guava:guava:32.1.3-jre"
         resolutionStrategy.force 'org.apache.commons:commons-compress:1.26.0'
+        resolutionStrategy.force "org.apache.commons:commons-lang3:${versions.commonslang}"
+
     }
 }
 

ml-algorithms/build.gradle

@@ -88,7 +88,9 @@ dependencies {
     }
     implementation('net.minidev:json-smart:2.5.2')
     implementation group: 'org.json', name: 'json', version: '20231013'
-    implementation group: 'software.amazon.awssdk', name: 'netty-nio-client', version: "2.30.18"
+    implementation(enforcedPlatform("io.netty:netty-bom:4.2.5.Final"))
+    implementation("software.amazon.awssdk:netty-nio-client")
+
     testImplementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     testImplementation("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
     testImplementation group: 'com.networknt' , name: 'json-schema-validator', version: '1.4.0'

search-processors/build.gradle

@@ -27,6 +27,7 @@ repositories {
     mavenLocal()
 }
 
+
 dependencies {
     implementation project(path: ":${rootProject.name}-common", configuration: 'shadow')
     compileOnly group: 'org.opensearch', name: 'opensearch', version: "${opensearch_version}"