fix CVE-2025-55163, CVE-2025-48924, CVE-2025-58057 #4339

brianf-aws · 2025-10-22T23:50:09Z

Description

Upon making a CVE fix #4298 . which involved bumping netty, there was a netty exception.

? ERROR][o.o.m.e.a.a.MLAgentExecutor] [integTest-0] Failed to run conversational agent
?  org.opensearch.OpenSearchStatusException: Error communicating with remote model: java.lang.IllegalStateException: unexpected message type: LastHttpContent$1, state: 0
?  	at org.opensearch.ml.engine.algorithms.remote.MLSdkAsyncHttpResponseHandler.onError(MLSdkAsyncHttpResponseHandler.java:108) [opensearch-ml-algorithms-2.19.4.0-SNAPSHOT.jar:?]
?  	at software.amazon.awssd

There exists a cherry pick which bumped netty on mainline but required code changes
#4175 . The issue here is that the version catalog in that mainline commit was not synced from core 2.19.4 . Making the change non-trivial

Reviewer objectives

To ensure at least 1 CI passes that no errors are related to netty
To review commits from use mainline versions.aws via hardcode and above
To note that the lack of version catalog is because core's 2.19.4 version catalog is 11 months old!

Related Issues

Resolves the snapshot PR #4143

Next steps

backport the Core version catalog to 2.19.4 [OS core]
Update 2.19.4 to have proper version catalog [ML-Commons]

Check List

New functionality includes testing.
New functionality has been documented.
API changes companion pull request created.
Commits are signed per the DCO using --signoff.
Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: opensearch-ci-bot <[email protected]>

* address commons-lang3 CVE-2025-48924 Signed-off-by: Brian Flores <[email protected]> * pin netty to 4.2.5.Final version address CVE-2025-55163 Signed-off-by: Brian Flores <[email protected]> * force all subProjects to use updated common-lang3 version Signed-off-by: Brian Flores <[email protected]> --------- Signed-off-by: Brian Flores <[email protected]>

…earch-project#4175) * Move HttpClientFactory to common to expose to other componenets Signed-off-by: zane-neo <[email protected]> * optimize code for better maintainability Signed-off-by: zane-neo <[email protected]> * Optimize code and increase UT coverage Signed-off-by: zane-neo <[email protected]> * Address comments Signed-off-by: zane-neo <[email protected]> * Use amazon aws version from opensearch core Signed-off-by: zane-neo <[email protected]> * address comments Signed-off-by: zane-neo <[email protected]> --------- Signed-off-by: zane-neo <[email protected]>

Signed-off-by: Brian Flores <[email protected]>

brianf-aws · 2025-10-23T05:09:10Z

I don't think this new change is a result of the failures

 ERROR][o.o.m.e.a.a.MLAgentExecutor] [integTest-0] Failed to run flow agent
»  java.lang.IllegalArgumentException: SearchIndexTool's two parameter: index and query are required!
»  	at org.opensearch.ml.engine.tools.SearchIndexTool.run(SearchIndexTool.java:108) [opensearch-ml-algorithms-2.19.4.0-SNAPSHOT.jar:?]
»  	at org.opensearch.ml.engine.algorithms.agent.MLFlowAgentRunner.run(MLFlowAgentRunner.java:160) [opensearch-ml-algorithms-2.19.4.0-SNAPSHOT.jar:?]
»  	at org.opensearch.ml.engine.algorithms.agent.MLAgentExecutor.executeAgent(MLAgentExecutor.java:326) [opensearch-ml-algorithms-2.19.4.0-SNAPSHOT.jar:?]
»  	at org.opensearch.ml.engine.algorithms.agent.MLAgentExecutor.lambda$execute$4(MLAgentExecutor.java:248) [opensearch-ml-algorithms-2.19.4.0-SNAPSHOT.jar:?]
»  	at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:863) [?:?]
»  	at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:841) [?:?]
»  	at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:510) [?:?]

  org.opensearch.OpenSearchStatusException: Error validating input schema, if you think this is expected, please update your 'input' field in the 'interface' field for this model: Validation failed: [$.parameters.prompt: string found, integer expected] for instance: {"algorithm":"REMOTE","parameters":{"prompt":"Say this is a test"},"action_type":"PREDICT"} with schema: {"properties":{"parameters":{"properties":{"prompt":{"description":"This is a test description field","type":"integer"}}}}}
»  	at org.opensearch.ml.action.prediction.TransportPredictionTaskAction.validateInputSchema(TransportPredictionTaskAction.java:270) ~[?:?]
»  	at org.opensearch.ml.action.prediction.TransportPredictionTaskAction$1.lambda$onResponse$0(TransportPredictionTaskAction.java:181) ~[?:?]
»  	at org.opensearch.core.action.ActionListener$1.onResponse(ActionListener.java:82) [opensearch-core-2.19.4-SNAPSHOT.jar:2.19.4-SNAPSHOT]
»  	at org.opensearch.ml.helper.ModelAccessControlHelper.validateModelGroupAccess(ModelAccessControlHelper.java:140) [opensearch-ml-2.19.4.0-SNAPSHOT.jar:2.19.4.0-SNAPSHOT]
»  	at org.opensearch.ml.action.prediction.TransportPredictionTaskAction$1.onResponse(TransportPredictionTaskAction.java:134) [opensearch-ml-2.19.4.0-SNAPSHOT.jar:2.19.4.0-SNAPSHOT]
»  	at org.opensearch.ml.action.prediction.TransportPredictionTaskAction$1.onResponse(TransportPredictionTaskAction.java:123) [opensearch-ml-2.19.4.0-SNAPSHOT.jar:2.19.4.0-SNAPSHOT]
»  	at org.opensearch.ml.action.prediction.TransportPredictionTaskAction.doExecute(TransportPredictionTaskAction.java:221) [opensearch-ml-2.19.4.0-SNAPSHOT.jar:2.19.4.0-SNAPSHOT]

Signed-off-by: Brian Flores <[email protected]>

opensearch-ci-bot and others added 4 commits August 29, 2025 00:10

Increment version to 2.19.4-SNAPSHOT

c12440c

Signed-off-by: opensearch-ci-bot <[email protected]>

use mainline versions.aws via hardcode

684de5c

Signed-off-by: Brian Flores <[email protected]>

brianf-aws requested review from HenryL27, Zhangxunmt, austintlee, b4sjoo, dhrubo-os, jngz-es, mingshl, model-collapse, rbhavna, xinyual, ylwu-amzn and zane-neo as code owners October 22, 2025 23:50

brianf-aws changed the title ~~2.19.4 CVE fix~~ Address Netty failure at Agent Execute runtime Oct 22, 2025

brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 22, 2025 23:51 — with GitHub Actions Waiting

brianf-aws added 2 commits October 22, 2025 17:02

address CVE-2025-58057

7c49706

Signed-off-by: Brian Flores <[email protected]>

fix code format

ab05d1a

Signed-off-by: Brian Flores <[email protected]>

brianf-aws requested a deployment to ml-commons-cicd-env-require-approval October 23, 2025 00:04 — with GitHub Actions Waiting

brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 23, 2025 00:06 — with GitHub Actions Failure

brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 23, 2025 00:06 — with GitHub Actions Error

brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 23, 2025 00:06 — with GitHub Actions Failure

brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 23, 2025 00:06 — with GitHub Actions Error

opensearch-trigger-bot bot force-pushed the create-pull-request/2.19.4-SNAPSHOT branch from 7a07243 to 3a49eca Compare October 23, 2025 00:10

brianf-aws mentioned this pull request Oct 23, 2025

[AUTO] Increment version to 2.19.4-SNAPSHOT #4143

Open

brianf-aws changed the base branch from create-pull-request/2.19.4-SNAPSHOT to 2.19 October 23, 2025 19:55

owaiskazi19 mentioned this pull request Oct 23, 2025

Fix agent type update #4341

Open

5 tasks

empty commit to trigger CI

0f1ef7d

Signed-off-by: Brian Flores <[email protected]>

brianf-aws force-pushed the 2.19.4-cve-fix branch from d960273 to 0f1ef7d Compare October 23, 2025 21:53

brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 23, 2025 21:55 — with GitHub Actions Error

brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 23, 2025 21:55 — with GitHub Actions Failure

brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 23, 2025 21:55 — with GitHub Actions Error

brianf-aws had a problem deploying to ml-commons-cicd-env-require-approval October 23, 2025 21:55 — with GitHub Actions Failure

brianf-aws changed the title ~~Address Netty failure at Agent Execute runtime~~ fix CVE-2025-55163, CVE-2025-48924, Oct 23, 2025

brianf-aws changed the title ~~fix CVE-2025-55163, CVE-2025-48924,~~ fix CVE-2025-55163, CVE-2025-48924, CVE-2025-58057 Oct 23, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix CVE-2025-55163, CVE-2025-48924, CVE-2025-58057 #4339

fix CVE-2025-55163, CVE-2025-48924, CVE-2025-58057 #4339

brianf-aws commented Oct 22, 2025 •

edited

Loading

Uh oh!

brianf-aws commented Oct 23, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

fix CVE-2025-55163, CVE-2025-48924, CVE-2025-58057 #4339

Are you sure you want to change the base?

fix CVE-2025-55163, CVE-2025-48924, CVE-2025-58057 #4339

Conversation

brianf-aws commented Oct 22, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Reviewer objectives

Related Issues

Next steps

Check List

Uh oh!

brianf-aws commented Oct 23, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

brianf-aws commented Oct 22, 2025 •

edited

Loading