CVE-2022-41918 OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana

You can read more about the problem and the fix in the changelog. OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue.

How to upgrade from 1.3.7 or 2.4.0 to 2.4.1 or later? There are two options: Option 1 – Update from the command line: curl -L -o install.zip https://github.com/OpenSearch/OpenSearch/releases/download/v2.4.1/OpenSearch-2.4.1-linux64.zip; unzip -d -t OpenSearch-2.4.1-linux64.zip -d /usr/local/bin; mv OpenSearch /bin; rm OpenSearch-2.4.1-linux64.zip; rm -f install.zip Option 2 – Update from the GUI: Go to System menu > Update Manager, click on the checkbox next to “OpenSearch” and click “Apply”

LibreZinc

LibreZinc is an open source implementation of the Zinc library, which provides fast and easy to use JSON data modeling and serialization. The current version of LibreZinc is 0.5, released on February 11th, 2018.

To upgrade to the latest version:
1) Download the zip file from https://github.com/librezinc/librezinc/releases/download/v0.5.0/librezinc-0.5.0-linux64 (or your operating system)
2) Extract librezinc-0.5.0-linux64 to a directory such as /usr/local
3) Update LD_LIBRARY_PATH to include the directory where you extracted librezinc
4) run "source /etc/profile" then "./bin/run-zinctl"

OpenSearch 2.4.1 and later fix a security issue

OpenSearch 2.4.0 and later fix a security issue where the implementation of fine-grained access control rules (document-level security, field-level security and field masking) are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. Users are advised to update as soon as possible. There is no workaround for this issue.

OpenSearch has fixed their version for this problem and released it today, February 1st 2018.

Timeline

Published on: 11/15/2022 23:15:00 UTC
Last modified on: 11/18/2022 20:14:00 UTC

References

• https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854eed280d45ce6f4
• https://github.com/opensearch-project/security/security/advisories/GHSA-wmx7-x4jp-9jgg
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41918