[BUG] CVE-2025-24970 Apache Netty < 4.1.118.Final

[NeilBillett]

Describe the bug

As per my question and received advice on the Opensearch forum: https://forum.opensearch.org/t/cve-2025-24970-apache-netty-4-118-final/23580

Please update Apache Netty libs to 4.1.118.Final to address recent high severity CVE-2025-24970 https://nvd.nist.gov/vuln/detail/CVE-2025-24970 and to ensure a clean vulnerability scan against a full tarball deployment of Opensearch 2.x

Looking at current opensearch release 2.19 ( in unpacked tarball) can see affected libs in several places (here searching for just the handler):

[root@test opensearch-2.19.0]# find . -name netty-handler*
./modules/transport-netty4/netty-handler-4.1.117.Final.jar
./performance-analyzer-rca/lib/netty-handler-4.1.117.Final.jar
./performance-analyzer-rca/lib/netty-handler-proxy-4.1.117.Final.jar
./plugins/opensearch-ml/netty-handler-4.1.115.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-4.1.117.Final.jar
./plugins/opensearch-performance-analyzer/netty-handler-proxy-4.1.117.Final.jar
./plugins/opensearch-security/netty-handler-4.1.117.Final.jar

Related component

No response

To Reproduce

Install Opensearch 2.19.0

Expected behavior

Apache Netty libs upgraded to 4.1.118.Final throughout product

Additional Details

Plugins
Please list all plugins currently enabled.

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

• OS: [e.g. iOS]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

[andrross]

@NeilBillett The 2.19.1 patch release is imminent and will include this update: opensearch-project/opensearch-build#5323

[reta]

Closing this one, will be fixed in 2.19.1