[Security] Is opendistro vulnerable for CVE-2022-22965?

[ira-gordin-sap]

We've found in whitesource scan that our opendistro sql plugin uses vulnerable spring-beans-5.2.5.RELEASE.jar:
/elasticsearch/plugins/opendistro-sql/spring-beans-5.2.5.RELEASE.jar
More details: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
We've not found war file in the opendistro pod, so suppose that opendistro is not impacted by GHSA-36p3-wjmg-h94x.
Could you please confirm?
From the other hand it it written there that "the nature of the vulnerability is more general, and there may be other ways to exploit it".

[ira-gordin-sap]

Saw https://github.com/opendistro-for-elasticsearch/sql/security/policy, so closing.