GHSA-28GG-8QQJ-FHH5

Vulnerability from github – Published: 2025-10-15 20:37 – Updated: 2025-10-15 20:37
VLAI
Summary
OpenSearch Data Prepper uses deprecated SSL protocol identifier
Details

Impact

The GeoIP processor and Kafka source and buffer were using the deprecated "SSL" protocol identifier when creating SSL contexts, potentially allowing the use of insecure SSL protocols instead of modern TLS versions.

Multiple Data Prepper plugins used SSLContext.getInstance("SSL") which could potentially allow the use of deprecated SSL protocols (SSLv2, SSLv3) that have known security vulnerabilities. While modern Java implementations typically default to secure TLS versions even with the "SSL" identifier, explicitly using "TLS" ensures that only secure TLS protocols are negotiated.

The affected components were:

  • GeoIP Processor: The DBSource.initiateSSL() method used for downloading GeoIP databases from external sources

  • Kafka Plugin: Both CustomClientSslEngineFactory and InsecureSslEngineFactory classes used for Kafka client connections

This could potentially allow connections to negotiate weaker SSL protocols instead of enforcing modern TLS versions, reducing the security of data transmission.

Patches

Data Prepper 2.12.2 contains a fix for this issue.

Workarounds

If upgrading is not immediately possible:

  1. Ensure your Java runtime is configured to disable deprecated SSL protocols
  2. Use network-level controls to enforce TLS-only connections
  3. Use external tools to verify that deprecated SSL protocols are not allowed.
Severity
4.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch.dataprepper.plugins:geoip-processor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-15T20:37:29Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe GeoIP processor and Kafka source and buffer were using the deprecated \"SSL\" protocol identifier when creating SSL contexts, potentially allowing the use of insecure SSL protocols instead of modern TLS versions.\n\nMultiple Data Prepper plugins used `SSLContext.getInstance(\"SSL\")` which could potentially allow the use of deprecated SSL protocols (SSLv2, SSLv3) that have known security vulnerabilities. While modern Java implementations typically default to secure TLS versions even with the \"SSL\" identifier, explicitly using \"TLS\" ensures that only secure TLS protocols are negotiated.\n\nThe affected components were:\n\n* GeoIP Processor: The `DBSource.initiateSSL()` method used for downloading GeoIP databases from external sources\n\n* Kafka Plugin: Both `CustomClientSslEngineFactory` and `InsecureSslEngineFactory` classes used for Kafka client connections\n\nThis could potentially allow connections to negotiate weaker SSL protocols instead of enforcing modern TLS versions, reducing the security of data transmission.\n\n### Patches\n\nData Prepper 2.12.2 contains a fix for this issue.\n\n### Workarounds\n\nIf upgrading is not immediately possible:\n\n1. Ensure your Java runtime is configured to disable deprecated SSL protocols\n2. Use network-level controls to enforce TLS-only connections\n3. Use external tools to verify that deprecated SSL protocols are not allowed.",
  "id": "GHSA-28gg-8qqj-fhh5",
  "modified": "2025-10-15T20:37:29Z",
  "published": "2025-10-15T20:37:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/data-prepper/security/advisories/GHSA-28gg-8qqj-fhh5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/data-prepper/commit/fa21a601512b5193c4b5c84a5b30c6301dab0475"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opensearch-project/data-prepper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenSearch Data Prepper uses deprecated SSL protocol identifier"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.