High severityNVD Advisory· Published Oct 15, 2025· Updated Oct 15, 2025

OpenSearch Data Prepper plugins trusts all SSL certificates by default

CVE-2025-62371

Description

OpenSearch Data Prepper as an open source data collector for observability data. In versions prior to 2.12.2, the OpenSearch sink and source plugins in Data Prepper trust all SSL certificates by default when no certificate path is provided. Prior to this fix, the OpenSearch sink and source plugins would automatically use a trust all SSL strategy when connecting to OpenSearch clusters if no certificate path was explicitly configured. This behavior bypasses SSL certificate validation, potentially allowing attackers to intercept and modify data in transit through man-in-the-middle attacks. The vulnerability affects connections to OpenSearch when the cert parameter is not explicitly provided. This issue has been patched in version 2.12.2. As a workaround, users can add the cert parameter to their OpenSearch sink or source configuration with the path to the cluster's CA certificate.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenSearch Data Prepper versions before 2.12.2 trust all SSL certificates by default when no certificate path is configured, enabling man-in-the-middle attacks.

Vulnerability

Overview

In OpenSearch Data Prepper versions prior to 2.12.2, the OpenSearch sink and source plugins trust all SSL certificates by default when no certificate path is provided. This means that if the cert parameter is not explicitly configured, the plugins automatically use a trust-all SSL strategy when connecting to OpenSearch clusters, or receiving connections from, OpenSearch clusters. This behavior bypasses SSL certificate validation entirely.

ExploitationAn attacker with network access to the communication path between Data Prepper and an OpenSearch cluster can exploit this by presenting a self-signed or otherwise invalid certificate. No authentication or special privileges are required beyond the ability to intercept or redirect network traffic. The attack surface is the TLS handshake between the Data Prepper plugin and the OpenSearch endpoint.

ImpactSuccessful exploitation allows an attacker to perform man-in-the-middle attacks, intercepting and potentially modifying data in transit. This can lead to disclosure of sensitive observability data, data integrity compromise, and loss of confidentiality.

MitigationThe issue is patched in

Data Prepper version 2.12.2 [1][2]. Users who cannot upgrade immediately can work around the vulnerability by explicitly adding the cert parameter to their OpenSearch sink or source configuration, pointing to the cluster's CA certificate [1][2].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.opensearch.dataprepper.plugins:opensearchMaven	< 2.12.2	2.12.2

Affected products

Opensearch Project/Opensearchllm-fuzzy
Range: <2.12.2
opensearch-project/data-prepperv5
Range: < 2.12.2

Patches

98fcf0d0ff9c

Require full TLS trust in OpenSearch plugins by default unless insecure is configured (#6165)

https://github.com/opensearch-project/data-prepperDavid VenableOct 14, 2025via ghsa

commit

25 files changed · +284 −22

data-prepper-plugins/opensearch/build.gradle+1 −0 modified

@@ -47,6 +47,7 @@ dependencies {
     testImplementation 'net.bytebuddy:byte-buddy-agent:1.17.6'
     testImplementation testLibs.slf4j.simple
     testImplementation project(path: ':data-prepper-test:test-common')
+    testImplementation 'org.wiremock:wiremock:3.10.0'
 }
 
 sourceSets {

data-prepper-plugins/opensearch/src/integrationTest/java/org/opensearch/dataprepper/plugins/sink/opensearch/OpenSearchIT.java

+1 −0 modified

@@ -32,6 +32,7 @@ public void testOpenSearchConnection() throws IOException {
             builder.withUsername(user);
             builder.withPassword(password);
         }
+        builder.withInsecure(true);
         final AwsCredentialsSupplier awsCredentialsSupplier = mock(AwsCredentialsSupplier.class);
         final RestHighLevelClient client = builder.build().createClient(awsCredentialsSupplier);

data-prepper-plugins/opensearch/src/integrationTest/java/org/opensearch/dataprepper/plugins/sink/opensearch/OpenSearchSinkIT.java

+1 −0 modified

@@ -1691,6 +1691,7 @@ private Map<String, Object> initializeConfigurationMetadata(final String indexTy
         metadata.put(IndexConfiguration.INDEX_ALIAS, indexAlias);
         metadata.put(IndexConfiguration.TEMPLATE_FILE, templateFilePath);
         metadata.put(IndexConfiguration.FLUSH_TIMEOUT, -1);
+        metadata.put("insecure", true);
         final String user = System.getProperty("tests.opensearch.user");
         final String password = System.getProperty("tests.opensearch.password");
         if (user != null) {

data-prepper-plugins/opensearch/src/main/java/org/opensearch/dataprepper/plugins/sink/opensearch/ConnectionConfiguration.java

+22 −7 modified

@@ -384,8 +384,18 @@ private void checkProxyPort(final int port) {
   }
 
   private void attachSSLContext(final HttpAsyncClientBuilder httpClientBuilder) {
-    final SSLContext sslContext = certPath != null ? getCAStrategy(certPath) : getTrustAllStrategy();
-    httpClientBuilder.setSSLContext(sslContext);
+    final SSLContext sslContext;
+    if(certPath != null) {
+      sslContext = getCAStrategy(certPath);
+    } else if(this.insecure) {
+      sslContext = getTrustAllStrategy();
+    } else {
+      sslContext = null;
+    }
+    if(sslContext != null) {
+      httpClientBuilder.setSSLContext(sslContext);
+    }
+
     if (this.insecure) {
       httpClientBuilder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
     }
@@ -439,7 +449,7 @@ private OpenSearchTransport createOpenSearchTransport(final RestHighLevelClient
         transportOptions.setRequestCompressionSize(Integer.MAX_VALUE);
       }
 
-      return new AwsSdk2Transport(createSdkHttpClient(), HttpHost.create(hosts.get(0)).getHostName(),
+      return new AwsSdk2Transport(createSdkHttpClient(), HttpHost.create(hosts.get(0)).toHostString(),
               serviceName, Region.of(awsRegion), transportOptions.build());
     } else {
       return new RestClientTransport(
@@ -461,11 +471,13 @@ private SdkHttpClient createSdkHttpClient() {
   }
 
   private void attachSSLContext(final ApacheHttpClient.Builder apacheHttpClientBuilder) {
-    TrustManager[] trustManagers = createTrustManagers(certPath);
-    apacheHttpClientBuilder.tlsTrustManagersProvider(() -> trustManagers);
+    TrustManager[] trustManagers = createTrustManagers(certPath, insecure);
+    if(trustManagers.length > 0) {
+      apacheHttpClientBuilder.tlsTrustManagersProvider(() -> trustManagers);
+    }
   }
 
-  private static TrustManager[] createTrustManagers(final Path certPath) {
+  private static TrustManager[] createTrustManagers(final Path certPath, final boolean insecure) {
     if (certPath != null) {
       LOG.info("Using the cert provided in the config.");
       try (InputStream certificateInputStream = Files.newInputStream(certPath)) {
@@ -481,8 +493,11 @@ private static TrustManager[] createTrustManagers(final Path certPath) {
       } catch (Exception ex) {
         throw new RuntimeException(ex.getMessage(), ex);
       }
-    } else {
+    } else if(insecure) {
+      LOG.info("Using the trust all strategy");
       return new TrustManager[] { new X509TrustAllManager() };
+    } else {
+      return new TrustManager[0];
     }
   }

data-prepper-plugins/opensearch/src/main/java/org/opensearch/dataprepper/plugins/source/opensearch/worker/client/OpenSearchClientFactory.java

+21 −13 modified

@@ -271,7 +271,9 @@ private void setConnectAndSocketTimeout(final org.elasticsearch.client.RestClien
 
     private void attachSSLContext(final NettyNioAsyncHttpClient.Builder asyncClientBuilder, final OpenSearchSourceConfiguration openSearchSourceConfiguration) {
         TrustManager[] trustManagers = createTrustManagers(openSearchSourceConfiguration.getConnectionConfiguration());
-        asyncClientBuilder.tlsTrustManagersProvider(() -> trustManagers);
+        if (trustManagers.length > 0) {
+            asyncClientBuilder.tlsTrustManagersProvider(() -> trustManagers);
+        }
     }
 
     private void attachSSLContext(final HttpAsyncClientBuilder httpClientBuilder, final OpenSearchSourceConfiguration openSearchSourceConfiguration) {
@@ -287,31 +289,37 @@ private void attachSSLContext(final HttpAsyncClientBuilder httpClientBuilder, fi
 
     private TrustManager[] createTrustManagers(final ConnectionConfiguration connectionConfiguration) {
         final Path certPath = connectionConfiguration.getCertPath();
-        if (Objects.nonNull(certPath)) {
+        final String certificate = connectionConfiguration.getCertificate();
+        if (certPath != null) {
             return TrustStoreProvider.createTrustManager(certPath);
-        } else if (Objects.nonNull(connectionConfiguration.getCertificate())) {
-            if (PemObjectValidator.isPemObject(connectionConfiguration.getCertificate())) {
-                return TrustStoreProvider.createTrustManager(connectionConfiguration.getCertificate());
+        } else if (certificate != null) {
+            if (PemObjectValidator.isPemObject(certificate)) {
+                return TrustStoreProvider.createTrustManager(certificate);
             } else {
-                return TrustStoreProvider.createTrustManager(Path.of(connectionConfiguration.getCertificate()));
-            }
-        } else {
+                return TrustStoreProvider.createTrustManager(Path.of(certificate));}
+        } else if (connectionConfiguration.isInsecure()) {
             return TrustStoreProvider.createTrustAllManager();
+
+        } else {
+            return new TrustManager[0];
         }
     }
 
     private SSLContext getCAStrategy(final ConnectionConfiguration connectionConfiguration) {
         final Path certPath = connectionConfiguration.getCertPath();
-        if (Objects.nonNull(certPath)) {
+        final String certificate = connectionConfiguration.getCertificate();
+        if (certPath != null) {
             return TrustStoreProvider.createSSLContext(certPath);
-        } else if (Objects.nonNull(connectionConfiguration.getCertificate())) {
-            if (PemObjectValidator.isPemObject(connectionConfiguration.getCertificate())) {
-                return TrustStoreProvider.createSSLContext(connectionConfiguration.getCertificate());
+        } else if (certificate != null) {
+            if (PemObjectValidator.isPemObject(certificate)) {
+                return TrustStoreProvider.createSSLContext(certificate);
             } else {
                 return TrustStoreProvider.createSSLContext(Path.of(connectionConfiguration.getCertificate()));
             }
+        } else if (connectionConfiguration.isInsecure()) {
+                return TrustStoreProvider.createSSLContextWithTrustAllStrategy();
         } else {
-            return TrustStoreProvider.createSSLContextWithTrustAllStrategy();
+            return null;
         }
     }
 }

data-prepper-plugins/opensearch/src/test/java/org/opensearch/dataprepper/plugins/sink/opensearch/ConnectionConfiguration_ServerTest.java

+186 −0 added

@@ -0,0 +1,186 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.dataprepper.plugins.sink.opensearch;
+
+import com.github.tomakehurst.wiremock.WireMockServer;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.opensearch.client.RequestOptions;
+import org.opensearch.client.RestHighLevelClient;
+import org.opensearch.client.core.MainResponse;
+import org.opensearch.client.opensearch.OpenSearchClient;
+import org.opensearch.client.opensearch.core.InfoResponse;
+import org.opensearch.dataprepper.aws.api.AwsCredentialsSupplier;
+import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider;
+
+import javax.net.ssl.SSLHandshakeException;
+import java.io.IOException;
+import java.util.Collections;
+import java.util.Map;
+import java.util.UUID;
+
+import static com.github.tomakehurst.wiremock.client.WireMock.get;
+import static com.github.tomakehurst.wiremock.client.WireMock.jsonResponse;
+import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.options;
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.CoreMatchers.notNullValue;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class ConnectionConfiguration_ServerTest {
+    private static WireMockServer wireMockServer;
+
+    @Mock
+    private AwsCredentialsSupplier awsCredentialsSupplier;
+
+    private String host;
+
+    private String clusterUuid;
+
+    @BeforeAll
+    static void setUpAll() {
+        wireMockServer = new WireMockServer(options()
+                .httpDisabled(true)
+                .dynamicHttpsPort()
+                .keystorePath("src/test/resources/test_keystore.jks")
+                .keystorePassword("password")
+                .keyManagerPassword("password")
+        );
+
+        wireMockServer.start();
+    }
+
+    @AfterAll
+    static void tearDownAll() {
+        wireMockServer.stop();
+    }
+
+    @BeforeEach
+    void setUp() {
+        host = "https://localhost:" + wireMockServer.httpsPort();
+
+        clusterUuid = UUID.randomUUID().toString();
+        final Map<String, Object> responseBody = Map.of(
+                "name", "opensearch",
+                "cluster_name", "opensearch",
+                "cluster_uuid", clusterUuid,
+                "version", Map.of(
+                        "number", "2.10.0",
+                        "build_hash", "abcdefg",
+                        "build_date", "20241212",
+                        "build_type", "testing",
+                        "distribution", "datapreppertesting",
+                        "build_snapshot", "false",
+                        "lucene_version", "8",
+                        "minimum_wire_compatibility_version", "2.10.0",
+                        "minimum_index_compatibility_version", "2.10.0"
+                ),
+                "tagline", "You Know, for Search"
+        );
+        wireMockServer.stubFor(get("/").willReturn(jsonResponse(responseBody, 200)));
+    }
+
+    @Nested
+    class DefaultConfiguration {
+        private ConnectionConfiguration createObjectUnderTest() {
+            return new ConnectionConfiguration.Builder(Collections.singletonList(host))
+                    .build();
+        }
+
+        @Test
+        void createClient_will_not_trust_self_signed_certificates_by_default() {
+            final RestHighLevelClient client = createObjectUnderTest().createClient(awsCredentialsSupplier);
+            assertThat(client, notNullValue());
+
+            assertThrows(SSLHandshakeException.class, () -> client.info(RequestOptions.DEFAULT));
+        }
+
+        @Test
+        void createOpenSearchClient_will_not_trust_self_signed_certificates_by_default() {
+            final ConnectionConfiguration objectUnderTest = createObjectUnderTest();
+            final OpenSearchClient openSearchClient = objectUnderTest.createOpenSearchClient(objectUnderTest.createClient(awsCredentialsSupplier), awsCredentialsSupplier);
+            assertThat(openSearchClient, notNullValue());
+
+            assertThrows(SSLHandshakeException.class, openSearchClient::info);
+        }
+    }
+
+    @Nested
+    class DefaultSigV4Configuration {
+        @BeforeEach
+        void setUp() {
+            when(awsCredentialsSupplier.getProvider(any())).thenReturn(AnonymousCredentialsProvider.create());
+        }
+
+        private ConnectionConfiguration createObjectUnderTest() {
+            return new ConnectionConfiguration.Builder(Collections.singletonList(host))
+                    .withAwsSigv4(true)
+                    .withAwsRegion("us-east-1")
+                    .build();
+        }
+
+        @Test
+        void createClient_will_not_trust_self_signed_certificates_by_default() {
+            final RestHighLevelClient client = createObjectUnderTest().createClient(awsCredentialsSupplier);
+            assertThat(client, notNullValue());
+
+            assertThrows(SSLHandshakeException.class, () -> client.info(RequestOptions.DEFAULT));
+        }
+
+        @Test
+        void createOpenSearchClient_will_not_trust_self_signed_certificates_by_default() {
+            final ConnectionConfiguration objectUnderTest = createObjectUnderTest();
+            final OpenSearchClient openSearchClient = objectUnderTest.createOpenSearchClient(objectUnderTest.createClient(awsCredentialsSupplier), awsCredentialsSupplier);
+            assertThat(openSearchClient, notNullValue());
+
+            assertThrows(SSLHandshakeException.class, openSearchClient::info);
+        }
+    }
+
+    @Nested
+    class InsecureConfiguration {
+        private ConnectionConfiguration createObjectUnderTest() {
+            return new ConnectionConfiguration.Builder(Collections.singletonList(host))
+                    .withInsecure(true)
+                    .build();
+        }
+
+        @Test
+        void createClient_will_trust_self_signed_certificates_if_insecure() throws IOException {
+            final RestHighLevelClient client = createObjectUnderTest().createClient(awsCredentialsSupplier);
+            assertThat(client, notNullValue());
+
+            final MainResponse infoResponse = client.info(RequestOptions.DEFAULT);
+
+            assertThat(infoResponse, notNullValue());
+            assertThat(infoResponse.getClusterName(), equalTo("opensearch"));
+            assertThat(infoResponse.getClusterUuid(), equalTo(clusterUuid));
+        }
+
+
+        @Test
+        void createOpenSearchClient_will_trust_self_signed_certificates_if_insecure() throws IOException {
+            final ConnectionConfiguration objectUnderTest = createObjectUnderTest();
+            final OpenSearchClient openSearchClient = objectUnderTest.createOpenSearchClient(objectUnderTest.createClient(awsCredentialsSupplier), awsCredentialsSupplier);
+            assertThat(openSearchClient, notNullValue());
+
+            final InfoResponse infoResponse = openSearchClient.info();
+
+            assertThat(infoResponse, notNullValue());
+            assertThat(infoResponse.clusterName(), equalTo("opensearch"));
+            assertThat(infoResponse.clusterUuid(), equalTo(clusterUuid));
+        }
+    }
+}
\ No newline at end of file

data-prepper-plugins/opensearch/src/test/java/org/opensearch/dataprepper/plugins/sink/opensearch/ConnectionConfigurationTests.java

+0 −2 modified

@@ -150,7 +150,6 @@ void testCreateOpenSearchClientAwsServerlessDefault() throws IOException {
         when(awsCredentialsSupplier.getProvider(any())).thenReturn(awsCredentialsProvider);
 
         final RestHighLevelClient client = connectionConfiguration.createClient(awsCredentialsSupplier);
-        when(apacheHttpClientBuilder.tlsTrustManagersProvider(any())).thenReturn(apacheHttpClientBuilder);
         when(apacheHttpClientBuilder.build()).thenReturn(apacheHttpClient);
         final OpenSearchClient openSearchClient;
         try (final MockedStatic<ApacheHttpClient> apacheHttpClientMockedStatic = mockStatic(ApacheHttpClient.class)) {
@@ -160,7 +159,6 @@ void testCreateOpenSearchClientAwsServerlessDefault() throws IOException {
         assertNotNull(openSearchClient);
         assertThat(openSearchClient._transport(), instanceOf(AwsSdk2Transport.class));
         assertThat(openSearchClient._transport().jsonpMapper(), instanceOf(PreSerializedJsonpMapper.class));
-        verify(apacheHttpClientBuilder).tlsTrustManagersProvider(any());
         verify(apacheHttpClientBuilder).build();
         openSearchClient.shutdown();
         client.close();

data-prepper-plugins/opensearch/src/test/java/org/opensearch/dataprepper/plugins/source/opensearch/worker/client/OpenSearchClientFactoryTest.java

+34 −0 modified

@@ -27,6 +27,8 @@
 import software.amazon.awssdk.regions.Region;
 
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+
 import java.nio.file.Path;
 import java.time.Duration;
 import java.util.Collections;
@@ -41,6 +43,7 @@
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.mockStatic;
 import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
@@ -409,9 +412,40 @@ void createSdkAsyncHttpClient_with_self_signed_certificate() {
         lenient().when(openSearchSourceConfiguration.getConnectionConfiguration()).thenReturn(connectionConfiguration);
         lenient().when(connectionConfiguration.getCertPath()).thenReturn(path);
         try (MockedStatic<TrustStoreProvider> trustStoreProviderMockedStatic = mockStatic(TrustStoreProvider.class)) {
+            TrustManager[] mockTrustManagers = new TrustManager[] { mock(TrustManager.class) };
+            trustStoreProviderMockedStatic.when(() -> TrustStoreProvider.createTrustManager(path)).thenReturn(mockTrustManagers);
             final SdkAsyncHttpClient sdkAsyncHttpClient = createObjectUnderTest().createSdkAsyncHttpClient(openSearchSourceConfiguration);
             assertThat(sdkAsyncHttpClient, notNullValue());
             trustStoreProviderMockedStatic.verify(() -> TrustStoreProvider.createTrustManager(path));
         }
     }
+    @Test
+    void createSdkAsyncHttpClient_with_secure_configuration_and_no_cert_path_does_not_trust_all_managers() {
+        when(connectionConfiguration.getCertPath()).thenReturn(null);
+        when(connectionConfiguration.isInsecure()).thenReturn(false);
+        when(connectionConfiguration.getConnectTimeout()).thenReturn(Duration.ofSeconds(30));
+        try (MockedStatic<TrustStoreProvider> trustStoreProviderMockedStatic = mockStatic(TrustStoreProvider.class)) {
+            final SdkAsyncHttpClient sdkAsyncHttpClient = createObjectUnderTest().createSdkAsyncHttpClient(openSearchSourceConfiguration);
+            assertThat(sdkAsyncHttpClient, notNullValue());
+            trustStoreProviderMockedStatic.verify(() -> TrustStoreProvider.createTrustAllManager(), never());
+            trustStoreProviderMockedStatic.verify(() -> TrustStoreProvider.createTrustManager(any(Path.class)), never());
+        }
+    }
+    
+    @Test
+    void createSdkAsyncHttpClient_with_insecure_configuration_and_no_cert_path_trusts_all_managers() {
+        when(connectionConfiguration.getCertPath()).thenReturn(null);
+        when(connectionConfiguration.isInsecure()).thenReturn(true);
+        when(connectionConfiguration.getConnectTimeout()).thenReturn(Duration.ofSeconds(30));
+        try (MockedStatic<TrustStoreProvider> trustStoreProviderMockedStatic = mockStatic(TrustStoreProvider.class)) {
+            TrustManager[] mockTrustManagers = new TrustManager[] { mock(TrustManager.class) };
+            trustStoreProviderMockedStatic.when(() -> TrustStoreProvider.createTrustAllManager())
+                    .thenReturn(mockTrustManagers);
+            final SdkAsyncHttpClient sdkAsyncHttpClient = createObjectUnderTest().createSdkAsyncHttpClient(openSearchSourceConfiguration);
+            assertThat(sdkAsyncHttpClient, notNullValue());
+            trustStoreProviderMockedStatic.verify(() -> TrustStoreProvider.createTrustAllManager(), times(1));
+            trustStoreProviderMockedStatic.verify(() -> TrustStoreProvider.createTrustManager(any(Path.class)), never());
+        }
+    }
+
 }

data-prepper-plugins/opensearch/src/test/resources/test_keystore.jks+0 −0 added

e2e-test/log/src/integrationTest/java/org/opensearch/dataprepper/integration/log/EndToEndBasicLogTest.java+1 −0 modified

@@ -132,6 +132,7 @@ private RestHighLevelClient prepareOpenSearchRestHighLevelClient() {
                 Collections.singletonList("https://127.0.0.1:9200"));
         builder.withUsername("admin");
         builder.withPassword("admin");
+        builder.withInsecure(true);
         return builder.build().createClient(null);
     }

e2e-test/log/src/integrationTest/java/org/opensearch/dataprepper/integration/log/ParallelGrokStringSubstituteLogTest.java

+1 −0 modified

@@ -100,6 +100,7 @@ private RestHighLevelClient prepareOpenSearchRestHighLevelClient() {
                 Collections.singletonList("https://127.0.0.1:9200"));
         builder.withUsername("admin");
         builder.withPassword("admin");
+        builder.withInsecure(true);
         final AwsCredentialsSupplier awsCredentialsSupplier = mock(AwsCredentialsSupplier.class);
         return builder.build().createClient(awsCredentialsSupplier);
     }

e2e-test/log/src/integrationTest/resources/basic-grok-e2e-pipeline-date-pattern-index.yml+1 −0 modified

@@ -11,5 +11,6 @@ grok-pipeline:
         hosts: [ "https://node-0.example.com:9200" ]
         username: "admin"
         password: "admin"
+        insecure: true
         index: "test-grok-index-%{yyyy.MM.dd}"
         flush_timeout: 5000

e2e-test/log/src/integrationTest/resources/basic-grok-e2e-pipeline-with-aws-secrets.yml+1 −0 modified

@@ -17,5 +17,6 @@ grok-pipeline:
         hosts: [ "https://node-0.example.com:9200" ]
         username: "${{aws_secrets:opensearch-sink:username}}"
         password: "${{aws_secrets:opensearch-sink:password}}"
+        insecure: true
         index: "test-grok-index"
         flush_timeout: 5000
\ No newline at end of file

e2e-test/log/src/integrationTest/resources/basic-grok-e2e-pipeline.yml+1 −0 modified

@@ -12,5 +12,6 @@ grok-pipeline:
         hosts: [ "https://node-0.example.com:9200" ]
         username: "admin"
         password: "admin"
+        insecure: true
         index: "test-grok-index"
         flush_timeout: 5000

e2e-test/log/src/integrationTest/resources/parallel-grok-substitute-e2e-pipeline.yml+2 −0 modified

@@ -22,6 +22,7 @@ pipeline2:
         hosts: [ "https://node-0.example.com:9200" ]
         username: "admin"
         password: "admin"
+        insecure: true
         index: "test-substitute-index"
         flush_timeout: 5000
 
@@ -38,5 +39,6 @@ pipeline3:
         hosts: [ "https://node-0.example.com:9200" ]
         username: "admin"
         password: "admin"
+        insecure: true
         index: "test-grok-index"
         flush_timeout: 5000

e2e-test/peerforwarder/src/integrationTest/java/org/opensearch/dataprepper/integration/peerforwarder/EndToEndLogMetricsTest.java

+1 −0 modified

@@ -181,6 +181,7 @@ private RestHighLevelClient prepareOpenSearchRestHighLevelClient() {
                 Collections.singletonList("https://127.0.0.1:9200"));
         builder.withUsername("admin");
         builder.withPassword("admin");
+        builder.withInsecure(true);
         final AwsCredentialsSupplier awsCredentialsSupplier = mock(AwsCredentialsSupplier.class);
         return builder.build().createClient(awsCredentialsSupplier);
     }

e2e-test/peerforwarder/src/integrationTest/java/org/opensearch/dataprepper/integration/peerforwarder/EndToEndPeerForwarderTest.java

+1 −0 modified

@@ -117,6 +117,7 @@ private RestHighLevelClient prepareOpenSearchRestHighLevelClient() {
                 Collections.singletonList("https://127.0.0.1:9200"));
         builder.withUsername("admin");
         builder.withPassword("admin");
+        builder.withInsecure(true);
         final AwsCredentialsSupplier awsCredentialsSupplier = mock(AwsCredentialsSupplier.class);
         return builder.build().createClient(awsCredentialsSupplier);
     }

e2e-test/peerforwarder/src/integrationTest/resources/aggregate-e2e-pipeline.yml+1 −0 modified

@@ -12,5 +12,6 @@ aggregate-pipeline:
         hosts: [ "https://node-0.example.com:9200" ]
         username: "admin"
         password: "admin"
+        insecure: true
         index: "test-peer-forwarder-index"
         flush_timeout: 5000
\ No newline at end of file

e2e-test/peerforwarder/src/integrationTest/resources/log-metrics-pipeline.yml+1 −0 modified

@@ -16,5 +16,6 @@ aggregate-pipeline:
         hosts: [ "https://node-0.example.com:9200" ]
         username: "admin"
         password: "admin"
+        insecure: true
         index: "test-log-metrics-index"
         flush_timeout: 5000

e2e-test/trace/src/integrationTest/java/org/opensearch/dataprepper/integration/trace/EndToEndRawSpanTest.java+1 −0 modified

@@ -115,6 +115,7 @@ public void testPipelineEndToEnd() {
                 Collections.singletonList("https://127.0.0.1:9200"));
         builder.withUsername("admin");
         builder.withPassword("admin");
+        builder.withInsecure(true);
         final RestHighLevelClient restHighLevelClient = builder.build().createClient(null);
         // Wait for data to flow through pipeline and be indexed by ES
         await().atLeast(3, TimeUnit.SECONDS).atMost(20, TimeUnit.SECONDS).untilAsserted(

e2e-test/trace/src/integrationTest/java/org/opensearch/dataprepper/integration/trace/EndToEndServiceMapTest.java+1 −0 modified

@@ -81,6 +81,7 @@ public void testPipelineEndToEnd() {
                 Collections.singletonList("https://127.0.0.1:9200"));
         builder.withUsername("admin");
         builder.withPassword("admin");
+        builder.withInsecure(true);
         final AwsCredentialsSupplier awsCredentialsSupplier = mock(AwsCredentialsSupplier.class);
         final RestHighLevelClient restHighLevelClient = builder.build().createClient(awsCredentialsSupplier);

e2e-test/trace/src/integrationTest/resources/raw-span-e2e-pipeline-from-build.yml+1 −0 modified

@@ -18,5 +18,6 @@ raw-pipeline:
         hosts: [ "https://node-0.example.com:9200" ]
         username: "admin"
         password: "admin"
+        insecure: true
         index_type: trace-analytics-raw
         flush_timeout: 5000
\ No newline at end of file

e2e-test/trace/src/integrationTest/resources/raw-span-e2e-pipeline-latest-release.yml+1 −0 modified

@@ -18,5 +18,6 @@ raw-pipeline:
         hosts: [ "https://node-0.example.com:9200" ]
         username: "admin"
         password: "admin"
+        insecure: true
         index_type: trace-analytics-raw
         flush_timeout: 5000

e2e-test/trace/src/integrationTest/resources/raw-span-e2e-pipeline.yml+2 −0 modified

@@ -16,10 +16,12 @@ raw-pipeline:
         hosts: [ "https://node-0.example.com:9200" ]
         username: "admin"
         password: "admin"
+        insecure: true
   sink:
     - opensearch:
         hosts: [ "https://node-0.example.com:9200" ]
         username: "admin"
         password: "admin"
+        insecure: true
         index_type: trace-analytics-raw
         flush_timeout: 5000

e2e-test/trace/src/integrationTest/resources/service-map-e2e-pipeline.yml+1 −0 modified

@@ -18,5 +18,6 @@ service-map-pipeline:
         hosts: ["https://node-0.example.com:9200"]
         username: "admin"
         password: "admin"
+        insecure: true
         index_type: trace-analytics-service-map
         flush_timeout: 5000

b0386a5af3fb

Use standard TLS when downloading the database from an HTTP URL. (#6163)

https://github.com/opensearch-project/data-prepperDavid VenableOct 14, 2025via ghsa

commit

2 files changed · +0 −44

data-prepper-plugins/geoip-processor/src/main/java/org/opensearch/dataprepper/plugins/geoip/extension/databasedownload/DBSource.java

+0 −43 modified

@@ -5,50 +5,7 @@
 
 package org.opensearch.dataprepper.plugins.geoip.extension.databasedownload;
 
-import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
-import java.security.KeyManagementException;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-
 public interface DBSource {
     String MAXMIND_DATABASE_EXTENSION = ".mmdb";
     void initiateDownload() throws Exception;
-
-    /**
-     * initiateSSL
-     * @throws NoSuchAlgorithmException NoSuchAlgorithmException
-     * @throws KeyManagementException KeyManagementException
-     */
-    default void initiateSSL() throws NoSuchAlgorithmException, KeyManagementException {
-        final TrustManager[] trustAllCerts = new TrustManager[]{
-                new X509TrustManager() {
-                    public X509Certificate[] getAcceptedIssuers() {
-                        return null;
-                    }
-                    public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
-                        return;
-                    }
-                    public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException {
-                        return;
-                    }
-                }
-        };
-
-        final SSLContext sc = SSLContext.getInstance("TLS");
-        sc.init(null, trustAllCerts, new SecureRandom());
-        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
-        final HostnameVerifier hostnameVerifier = new HostnameVerifier() {
-            public boolean verify(String urlHostName, SSLSession session) {
-                return true;
-            }
-        };
-        HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
-    }
 }

data-prepper-plugins/geoip-processor/src/main/java/org/opensearch/dataprepper/plugins/geoip/extension/databasedownload/HttpDBDownloadService.java

+0 −1 modified

@@ -53,7 +53,6 @@ public void initiateDownload() {
         for (final String key: databasePaths) {
             geoIPFileManager.createDirectoryIfNotExist(tarDir);
             try {
-                initiateSSL();
                 buildRequestAndDownloadFile(maxMindDatabaseConfig.getDatabasePaths().get(key), downloadTarFilepath);
                 final File tarFile = decompressAndgetTarFile(tarDir, downloadTarFilepath);
                 unTarFile(tarFile, new File(destinationDirectory), key);

db11ce8f27eb

Change "SSL" to "TLS" (#6164)

https://github.com/opensearch-project/data-prepperDavid VenableOct 14, 2025via ghsa

commit

3 files changed · +3 −3

data-prepper-plugins/geoip-processor/src/main/java/org/opensearch/dataprepper/plugins/geoip/extension/databasedownload/DBSource.java

+1 −1 modified

@@ -41,7 +41,7 @@ public void checkClientTrusted(X509Certificate[] certs, String authType) throws
                 }
         };
 
-        final SSLContext sc = SSLContext.getInstance("SSL");
+        final SSLContext sc = SSLContext.getInstance("TLS");
         sc.init(null, trustAllCerts, new SecureRandom());
         HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
         final HostnameVerifier hostnameVerifier = new HostnameVerifier() {

data-prepper-plugins/kafka-plugins/src/main/java/org/opensearch/dataprepper/plugins/kafka/util/CustomClientSslEngineFactory.java

+1 −1 modified

@@ -40,7 +40,7 @@ private TrustManager[] getTrustManager() {
     @Override
     public SSLEngine createClientSslEngine(final String peerHost, final int peerPort, final String endpointIdentification) {
         try {
-            final SSLContext sslContext = SSLContext.getInstance("SSL");
+            final SSLContext sslContext = SSLContext.getInstance("TLS");
             sslContext.init(null, getTrustManager(), new SecureRandom());
             SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort);
             sslEngine.setUseClientMode(true);

data-prepper-plugins/kafka-plugins/src/main/java/org/opensearch/dataprepper/plugins/kafka/util/InsecureSslEngineFactory.java

+1 −1 modified

@@ -39,7 +39,7 @@ public void checkServerTrusted(X509Certificate[] certs, String authType) {
     public SSLEngine createClientSslEngine(String peerHost, int peerPort, String endpointIdentification) {
         TrustManager[] trustManagers = new TrustManager[]{ INSECURE_TRUST_MANAGER };
         try {
-            SSLContext sslContext = SSLContext.getInstance("SSL");
+            SSLContext sslContext = SSLContext.getInstance("TLS");
             sslContext.init(null, trustManagers, new SecureRandom());
             SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort);
             sslEngine.setUseClientMode(true);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-43ff-rr26-8hx4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-62371ghsaADVISORY
github.com/opensearch-project/data-prepper/commit/98fcf0d0ff9c18f1f7501e11dbed918814724b99ghsax_refsource_MISCWEB
github.com/opensearch-project/data-prepper/commit/b0386a5af3fb71094ba6c86cd8b2afc783246599ghsax_refsource_MISCWEB
github.com/opensearch-project/data-prepper/commit/db11ce8f27ebca018980b2bca863f7173de9ce56ghsax_refsource_MISCWEB
github.com/opensearch-project/data-prepper/security/advisories/GHSA-43ff-rr26-8hx4ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000