Upgrade the OpenJDK version

[bbarani]

Is your feature request related to a problem? Please describe.
The current OpenJDK version shipped with OpenSearch is pretty old and contains CVE's that are remediated in the later versions.

Describe the solution you'd like
Upgrade the OpenJDK version of OpenSearch to the latest stable version

Describe alternatives you've considered
NA

Additional context
Forum post discussing this requirement

[saratvemulapalli]

Looks like OpenSearch main (a.k.a 2.0.0) is already running with 17.0.1
OpenSearch 1.2 , 1.x line is running with 15.0.1

[reta]

@saratvemulapalli that is correct, @dblock had the concerns backporting the JDK-17 changes to 1.x, so we did not do that.

[dredwilliams]

Thanks for entering this for me! JDK 17 would meet the current set of JDK requirements provided by my security team. JDK 15 would need to be newer than 15.0.4.

[reta]

Uh .... @dredwilliams which distribution you would recommend to use? Adoptium / AdoptOpenJDK does not have it, OpenJDK project has no references either

[dredwilliams]

Well, then I guess JDK 15 is not an option any longer :-( My security team just gives me a list of what is NOT acceptable ... and 15.0.4 and below are on the list. Sorry ... should have investigated further.

[reta]

@dblock what are your thoughts on that? we could backport JDK-17 changes to 1.x

[saratvemulapalli]

@reta @dredwilliams am I missing something here.
From what I could read, AdoptJDK doesnt have a new version but OpenJDK does have new versions and the latest is 15.0.6.
Ref: https://wiki.openjdk.java.net/display/JDKUpdates/JDK+15u

[reta]

@saratvemulapalli correct, OpenJDK is source, we need distribution: the binaries. AFAIK Adoptium / AdoptOpenJDK does not provide binaries for 15.0.4 [1], nor does OpenJDK project [2] but Azul fe does [3] (in fact, this is the only one I found for this particular version).

[1] https://adoptium.net/archive.html
[2] https://jdk.java.net/archive/
[3] https://www.azul.com/downloads/?package=jdk

[jcgraybill]

The JDK for 1.X should be an LTS version, which means that we should indeed do the work to backport JDK 17 to 1.x.

[dblock]

💯 @jcgraybill

[reta]

@dblock @jcgraybill @dredwilliams on it

[saratvemulapalli]

Closing this as changes are merged to 1.x and will be out in 1.3.0 release.
Feel free to re-open.

[dblock]

Just confirming that this change is not part of 1.2.4.

[reta]

Just confirming that this change is not part of 1.2.4.

Would it make sense to backport it to 1.2? (personally not sure since 1.3.x release is approaching)

[dblock]

Just confirming that this change is not part of 1.2.4.

Would it make sense to backport it to 1.2? (personally not sure since 1.3.x release is approaching)

Only if there's a CVE that warrants it. @bbarani

[dblock]

If anyone is reading this for 1.3.0 we're going JDK11 for both building and bundling. See opensearch-project/opensearch-plugins#64 or details.