Upgrade okio-jvm dependency

[gabesotto]

Is your task related to a problem? Please describe

The version of okio-jvm used (3.0.0) is vulnerable to a ddos attack. The fix is in 3.1.0.
Fixed here: square/okio#1280

Describe the solution you'd like

Upgrade to atleast 3.1.0 but the most recent version is 3.5.0

Describe alternatives you've considered

No response

Additional context

No response

[Mandeep56Singh]

hello gabesotto
is know only java is enough to work on this issue .
if not , what other things do i need to know in order to solve this issue ?
I would appreciate your help.

[gabesotto]

Hey @Mandeep56Singh

You shouldn't need any java code, you just need to update your dependencies.
I'm not super familiar with your dependency management but in your pom.xml your okhttp is severly out of date:

   <okhttp.version>3.12.12</okhttp.version>
    <okhttp.bundle.version>3.12.1_1</okhttp.bundle.version>
    <okio.version>1.15.0</okio.version>
    <okio.bundle.version>1.15.0_1</okio.bundle.version>

You should update okhttp to 4.11 if possible: https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp

Also potentially okio? But i would need to review your dependency tree.

You should review your dependency tree (I think you are using maven) and see what packages you have that rely on okio-jvm:3.0.0 and make sure the new dependencies pull in atleast 3.1.0

[gabesotto]

@Mandeep56Singh

Another thing I just discovered - it seems they backported the fix to okio 1.17.6
square/okio#1334
https://repo1.maven.org/maven2/com/squareup/okio/okio/1.17.6/

I'm still not sure how the dependency between okhttp & okio works in your system without a closer look but its possible you maybe able to just update that one if you don't want a major version jump.

[ggee]

<okhttp.version>3.12.12</okhttp.version>

Yes, this version needs to be updated as vulnerabilities have been reported in use. My security scans are failing because of this version.