Okhttp 4.11.0 transitive dependency okio 3.2 needs to be updated to okio 3.4.0 to mitigate CVE #7944
Comments
|
+1 okhttp 4.11 doesn't support okio 3.4.0. We get errors if we try to override the version. |
|
What are the errors you get? |
|
I am using spring and spring pulls it via okhttp3 org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'okHttpClientBuilder' defined in class path resource [org/springframework/cloud/commons/httpclient/HttpClientConfiguration$OkHttpClientConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [okhttp3.OkHttpClient$Builder]: Factory method 'okHttpClientBuilder' threw exception; nested exception is java.lang.NoClassDefFoundError: okio/Buffer |
|
Specifically okhttp3.OkHttpClient$Builder |
|
That looks like more like an issue with your build. Can you share the dependency section of your build? |
|
- com.squareup.okhttp3:okhttp:jar:4.9.11:compile Complete stack trace Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [okhttp3.OkHttpClient$Builder]: Factory method 'okHttpClientBuilder' threw exception; nested exception is java.lang.NoClassDefFoundError: okio/Buffer if I use okhttp 4.9.3 with 2.10 I won't get any errors. Only when I uplift okhttp --> 4.11 and okio --> 3.4 I get this error |
|
I reached out to spring thinking that spring is not supported. My guess is okhttp is not supported with okio 3.4.0? spring-projects/spring-boot#36450 @yschimke is okhttp 4.11 working with okio 3.4 for you? |
|
Updating on #7947 But it will bump up to kotlin 1.9.0. I tested a build with these dependencies, and it worked fine. It looks like you are hitting square/okio#1067, cc @swankjesse So maybe try okio-jvm as a workaround. It's meant to be supported in https://github.com/square/okio/blob/master/build.gradle.kts#L138 |
|
Closing, as no one should be blocked on this, you can update okio in your own project to mitigate the CVE. If it's still flagging after you bump okio, it's an issue with your build or the CVE scanner. We will release 4.12 soon after fixing another issue, not rushing for this. |
|
@yschimke It shouldn't flag, however I'm not updating a transitive dependency as okhttp 4.11 hasn't passed any kind of testing with the updated okio library. This particular CVE is not likely to affect me due to the specific nature of the attack, but I'd argue that any potential CVE as serious as a potential DoS should have some sense of immediacy. I'll patiently wait for 4.12. |
|
The dup #7946 correctly pointing here is closed. I argue this issue here shouldn't be closed until a new 4.x including okio 3.4 is released. |
Hello, any ETA for 4.12 release? Thank you. |
|
No, not at the moment. If the CVE is hitting you, update okio in your project. |
|
how soon is soon. any ETA for 4.12 release? |
…3-3635 Upgrade okio-jvm from 3.0.0 to 3.4.0 fixing a Denial of Service (DoS) vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-3635 A minor version bump is needed for this security fix. Upstream projects don't do a minor version bump, this must be done by FOLIO. It's compatible. square/okhttp#7944 square/okhttp#7994 spring-projects/spring-boot#36450
|
Seems like 4.12 was released last week and it resolves the issue. |
[email protected]:kusl/hellokotlin.git The warning indicates that the version of Okio you're using has a known vulnerability (CVE-2023-3635) related to an incorrect conversion between numeric types, which can lead to a denial of service¹²³. To resolve this, you should update Okio to a version that includes the fix for this vulnerability. ### Updated Dependencies Here's the updated `build.gradle.kts` file with the latest stable versions, including the fixed version of Okio: ```kotlin plugins { kotlin("jvm") version "2.0.10" } repositories { mavenCentral() } dependencies { implementation("com.squareup.okhttp3:okhttp:4.12.0") implementation("com.google.code.gson:gson:2.11.0") implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:1.9.0") implementation("net.harawata:appdirs:1.2.2") implementation("com.squareup.okio:okio:3.4.0") // Updated to the fixed version } ``` ### Explanation - **Okio**: Updated to version `3.4.0`, which includes the fix for CVE-2023-3635¹²³. This should resolve the vulnerability warning and ensure your project is using secure dependencies. If you have any more questions or need further assistance, feel free to ask! ¹: [NVD - CVE-2023-3635](https://nvd.nist.gov/vuln/detail/CVE-2023-3635) ²: [Security Bulletin: Vulnerability in Okio GzipSource affects IBM Process Mining](https://www.ibm.com/support/pages/security-bulletin-vulnerability-okio-gzipsource-affects-ibm-process-mining-cve-2023-3635) ³: [Okhttp 4.11.0 transitive dependency okio 3.2 needs to be updated](square/okhttp#7944) Source: Conversation with Copilot, 8/13/2024 (1) NVD - CVE-2023-3635. https://nvd.nist.gov/vuln/detail/CVE-2023-3635. (2) Security Bulletin: Vulnerability in Okio GzipSource affects IBM Process .... https://www.ibm.com/support/pages/security-bulletin-vulnerability-okio-gzipsource-affects-ibm-process-mining-cve-2023-3635. (3) CVE-2023-3635 (High) detected in okio-jvm-3.0.0.jar, okio-2.8.0.jar .... opensearch-project/sql#2037. (4) Okhttp 4.11.0 transitive dependency okio 3.2 needs to be ... - GitHub. square/okhttp#7944. (5) Okio Signed to Unsigned Conversion Error vulnerability · CVE-2023-3635 .... GHSA-w33c-445m-f8w7. (6) undefined. square/okio@81bce1a. (7) undefined. https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/. (8) undefined. https://exchange.xforce.ibmcloud.com/vulnerabilities/260866.
As the title suggests, the 4.11.0 (and presumably earlier) versions of okhttp have a transitive dependency on
com.squareup.okio:[email protected], which has vulnerability CVE-2023-3635 (as reported by Snyk.io).
Okhttp needs to be updated to depend on okio 3.4.0 or later which fixes this vulnerability.
The text was updated successfully, but these errors were encountered: