GHSA-28gg-8qqj-fhh5: 
Java vulnerability analysis and mitigation

The vulnerability (GHSA-28gg-8qqj-fhh5) affects OpenSearch Data Prepper versions 2.4.0 through 2.12.2, involving the use of deprecated SSL protocol identifiers in the GeoIP processor and Kafka source and buffer components. The issue was discovered and disclosed on October 15, 2025, affecting the maven package org.opensearch.dataprepper.plugins:geoip-processor. The vulnerability has been assigned a moderate severity rating with a CVSS score of 4.8 (GitHub Advisory).

The vulnerability stems from the use of SSLContext.getInstance("SSL") in multiple Data Prepper plugins, which could potentially allow the use of deprecated SSL protocols (SSLv2, SSLv3) that have known security vulnerabilities. The affected components include the GeoIP Processor's DBSource.initiateSSL() method used for downloading GeoIP databases and the Kafka Plugin's CustomClientSslEngineFactory and InsecureSslEngineFactory classes used for Kafka client connections. While modern Java implementations typically default to secure TLS versions even with the "SSL" identifier, the use of deprecated protocols presents a security risk. The vulnerability has been assigned CVSS vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network attack vector with high complexity (GitHub Advisory).

The vulnerability could potentially allow connections to negotiate weaker SSL protocols instead of enforcing modern TLS versions, reducing the security of data transmission. This impacts both the confidentiality and integrity of data, particularly affecting GeoIP database downloads and Kafka client connections (GitHub Advisory).

The vulnerability has been patched in Data Prepper version 2.12.2. For users unable to upgrade immediately, several workarounds are available: ensure Java runtime is configured to disable deprecated SSL protocols, implement network-level controls to enforce TLS-only connections, and use external tools to verify that deprecated SSL protocols are not allowed (GitHub Advisory).