[Backport 2.4] Upgrade CXF to 3.5.5 to address CVE-2022-46363

[opensearch-trigger-bot]

Backport 93faf75 from #2350

[codecov-commenter]

Codecov Report

Merging #2358 (8e248c2) into 2.4 (1cea53b) will decrease coverage by 0.01%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##                2.4    #2358      +/-   ##
============================================
- Coverage     61.06%   61.05%   -0.02%     
+ Complexity     3251     3249       -2     
============================================
  Files           258      258              
  Lines         18131    18131              
  Branches       3232     3232              
============================================
- Hits          11072    11069       -3     
- Misses         5488     5491       +3     
  Partials       1571     1571              

Impacted Files	Coverage Δ
...iance/ComplianceIndexingOperationListenerImpl.java	61.76% <0.00%> (-1.48%)	⬇️
...a/org/opensearch/security/tools/SecurityAdmin.java	35.75% <0.00%> (-0.25%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[DarshitChanpura]

WhiteSource [1] check failure is due to stale artifact. Core already has updated netty to 4.1.86.Final on 2.4 branch. This issue should resolve itself once fresh artifacts become available.

https://github.com/opensearch-project/security/pull/2358/checks?check_run_id=10124860210

[br3no]

Hi!

The CVE this merge addresses is scored with 9.8. The 2.4.1 release of OpenSearch is affected and this is a cause of concern for users. I was expecting a release of 2.4.2 together with 2.5.0 that would address this issue.

Is there a plan to release a 2.4.2? Otherwise we will be forcing people to move to 2.5.

If not, is there a documentation somewhere explaining the policy on patch release decisions?

Thanks!

[davidlago]

Hi @br3no,

We release fixes with every minor versions, and backport to the 1.x line when needed, but do not backport to every minor version prior. Please see https://opensearch.org/releases.html#maintenance-policy for more info on our maintenance policy. An upgrade from 2.4.1 to 2.5.0 should be a seamless one (as seamless as an upgrade to 2.4.2 would have been) as we follow SemVer and ensure no breaking changes are added in minor versions.

Thanks!
Dave.

[br3no]

Hi @davidlago,

thanks for the link!

The upgrade is only seamless if the users are not using 3rd party plugins that need to be ported to the next version. Since OpenSearch is very strict about the matching of versions in plugins, this is potentially an issue that could be improved on. (either allow plugins to run with at least adjacent minor versions, or automatically release patches of the latest minor on critical CVEs?)

Cheers!

[davidlago]

You are 100% correct @br3no. Relaxing our version coupling is something that we've been talking about for a while, and I believe it is one of the features we're keeping in mind as we design the new iteration of plugins: extensions. Here is the meta issue where we are discussing this: opensearch-project/opensearch-sdk-java#337