GHSA-28gg-8qqj-fhh5
MEDIUMOpenSearch Data Prepper uses deprecated SSL protocol identifier
Blast Radius
org.opensearch.dataprepper.plugins:geoip-processorReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Impact
The GeoIP processor and Kafka source and buffer were using the deprecated "SSL" protocol identifier when creating SSL contexts, potentially allowing the use of insecure SSL protocols instead of modern TLS versions.
Multiple Data Prepper plugins used SSLContext.getInstance("SSL") which could potentially allow the use of deprecated SSL protocols (SSLv2, SSLv3) that have known security vulnerabilities. While modern Java implementations typically default to secure TLS versions even with the "SSL" identifier, explicitly using "TLS" ensures that only secure TLS protocols are negotiated.
The affected components were:
-
GeoIP Processor: The
DBSource.initiateSSL()method used for downloading GeoIP databases from external sources -
Kafka Plugin: Both
CustomClientSslEngineFactoryandInsecureSslEngineFactoryclasses used for Kafka client connections
This could potentially allow connections to negotiate weaker SSL protocols instead of enforcing modern TLS versions, reducing the security of data transmission.
Patches
Data Prepper 2.12.2 contains a fix for this issue.
Workarounds
If upgrading is not immediately possible:
- Ensure your Java runtime is configured to disable deprecated SSL protocols
- Use network-level controls to enforce TLS-only connections
- Use external tools to verify that deprecated SSL protocols are not allowed.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | org.opensearch.dataprepper.plugins:geoip-processor | ≥ 2.4.0&&< 2.12.2 | 2.12.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.opensearch.dataprepper.plugins:geoip-processor. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update org.opensearch.dataprepper.plugins:geoip-processor to 2.12.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-28gg-8qqj-fhh5 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-28gg-8qqj-fhh5 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-28gg-8qqj-fhh5. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-28gg-8qqj-fhh5 in your dependencies?
O3 detects GHSA-28gg-8qqj-fhh5 across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.