From 26ede8333c1de371aac0c1528f5928131ca29033 Mon Sep 17 00:00:00 2001 From: Brian Flores Date: Tue, 21 Oct 2025 16:17:09 -0700 Subject: [PATCH 1/3] address commons-lang3 CVE-2025-48924 Signed-off-by: Brian Flores --- search-processors/build.gradle | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/search-processors/build.gradle b/search-processors/build.gradle index e9fbc9a585..8ab700f9ea 100644 --- a/search-processors/build.gradle +++ b/search-processors/build.gradle @@ -27,6 +27,10 @@ repositories { mavenLocal() } +configurations.all { + resolutionStrategy.force "org.apache.commons:commons-lang3:${versions.commonslang}" +} + dependencies { implementation project(path: ":${rootProject.name}-common", configuration: 'shadow') compileOnly group: 'org.opensearch', name: 'opensearch', version: "${opensearch_version}" From 502219d68e17774f1afcb83ebbc39336b0f02127 Mon Sep 17 00:00:00 2001 From: Brian Flores Date: Tue, 21 Oct 2025 16:38:05 -0700 Subject: [PATCH 2/3] pin netty to 4.2.5.Final version address CVE-2025-55163 Signed-off-by: Brian Flores --- ml-algorithms/build.gradle | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ml-algorithms/build.gradle b/ml-algorithms/build.gradle index 9405f6a9ee..c50f0ab54a 100644 --- a/ml-algorithms/build.gradle +++ b/ml-algorithms/build.gradle @@ -88,7 +88,9 @@ dependencies { } implementation('net.minidev:json-smart:2.5.2') implementation group: 'org.json', name: 'json', version: '20231013' - implementation group: 'software.amazon.awssdk', name: 'netty-nio-client', version: "2.30.18" + implementation(enforcedPlatform("io.netty:netty-bom:4.2.5.Final")) + implementation("software.amazon.awssdk:netty-nio-client") + testImplementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}") testImplementation("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}") testImplementation group: 'com.networknt' , name: 'json-schema-validator', version: '1.4.0' From 06eb40a439d2b94f68818dc18d57a73c81f4cee3 Mon Sep 17 00:00:00 2001 From: Brian Flores Date: Wed, 22 Oct 2025 14:38:19 -0700 Subject: [PATCH 3/3] force all subProjects to use updated common-lang3 version Signed-off-by: Brian Flores --- build.gradle | 3 +++ search-processors/build.gradle | 3 --- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index be85478a58..509643b5a4 100644 --- a/build.gradle +++ b/build.gradle @@ -71,6 +71,7 @@ allprojects { } + subprojects { configurations { testImplementation.extendsFrom compileOnly @@ -80,6 +81,8 @@ subprojects { // Force spotless depending on newer version of guava due to CVE-2023-2976. Remove after spotless upgrades. resolutionStrategy.force "com.google.guava:guava:32.1.3-jre" resolutionStrategy.force 'org.apache.commons:commons-compress:1.26.0' + resolutionStrategy.force "org.apache.commons:commons-lang3:${versions.commonslang}" + } } diff --git a/search-processors/build.gradle b/search-processors/build.gradle index 8ab700f9ea..2f9f8bb380 100644 --- a/search-processors/build.gradle +++ b/search-processors/build.gradle @@ -27,9 +27,6 @@ repositories { mavenLocal() } -configurations.all { - resolutionStrategy.force "org.apache.commons:commons-lang3:${versions.commonslang}" -} dependencies { implementation project(path: ":${rootProject.name}-common", configuration: 'shadow')