Name of the Vulnerable Software and Affected Versions OpenSearch versions 2.18.0 through 2.19.3 OpenSearch versions 3.0.0 through 3.2.x

Description A regression caused the plugins.security.ssl.transport.enforce hostname verification setting to be ineffective. When enabled, the system failed to verify that the hostname in a connecting node's TLS certificate matched the connection hostname. This allows a node with a valid certificate signed by the cluster's trusted CA to join the cluster even if the Subject Alternative Name (SAN) is incorrect. This issue affects the hostname verification check but does not impact general certificate validation.

Recommendations Update to version 2.19.4. Update to version 3.3.0. Use more restrictive values for plugins.security.nodes dn to limit which certificates are accepted for node-to-node communication.