Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No support for okio 3.4 in 2.7.x #36450

Closed
Subrhamanya opened this issue Jul 19, 2023 · 7 comments
Closed

No support for okio 3.4 in 2.7.x #36450

Subrhamanya opened this issue Jul 19, 2023 · 7 comments
Labels
for: external-project For an external project and not something we can fix status: declined A suggestion or change that we don't feel we should currently apply

Comments

@Subrhamanya
Copy link

Describe the bug
Recently a CVE is reported for okio version <3.4.0 CVE-2023-3635
To resolve this CVE, we wanted to override the okio version to 3.4.0. But spring doesn't support it it seems.

Sample
Error that we are getting:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'okHttpClientBuilder' defined in class path resource [org/springframework/cloud/commons/httpclient/HttpClientConfiguration$OkHttpClientConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [okhttp3.OkHttpClient$Builder]: Factory method 'okHttpClientBuilder' threw exception; nested exception is java.lang.NoClassDefFoundError: okio/Buffer

We can see that it's coming from okhttp3 which is pulled by spring. Is it possible to provide support for okio 3.4 (probabbly uplifting okhttp3 to 4.9.11 might support??)
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 19, 2023
@wilkinsona
Copy link
Member

wilkinsona commented Jul 19, 2023
edited
Loading

It's hard to tell without a complete stack trace, but it appears that the incompatibility is between OkHttp's okhttp3.OkHttpClient$Builder and okio. As such, it's not clear why you've reported this as a Spring Boot issue. I can also see that you're using Spring Cloud which is a separate project.

Given the above, I think this is really out of Spring Boot's control. 2.7.x uses OkHttp 4.9.x by default and we won't upgrade to a new minor version of OkHttp in a maintenance release of Spring Boot. Assuming that new minors of OkHttp have not broken backwards compatibility, you should be able to override Boot's dependency management to use a version of OkHttp that meets your needs. If you haven't already, please try to do so.

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Jul 19, 2023
@wilkinsona
Copy link
Member

As far as I know, there is no 4.9.11 release. On Maven Central, 4.9.3 is the latest 4.9.x release.

@Subrhamanya
Copy link
Author

Subrhamanya commented Jul 19, 2023
edited
Loading

From here I can see 4.11 https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp-bom

@Subrhamanya
Copy link
Author

Let me uplift the okhttp along with okio and reach out to you..

@wilkinsona
Copy link
Member

wilkinsona commented Jul 19, 2023
edited
Loading

From here I can see 4.11 https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp-bom

Yes, that's 4.11.0 which, going by major.minor.patch, is a new minor version. FWIW, we have already upgrade to 4.11.0 in 3.2.0-M1 (3.2 is our first new minor since its release)

@wilkinsona wilkinsona added status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 19, 2023
@Subrhamanya
Copy link
Author

Confirmed okhttp 4.11 doesn't support okio 3.4.0. I have tested it.

Thanks @wilkinsona for your time. There is an issue raised to okhttp team square/okhttp#7944

@wilkinsona wilkinsona added the for: external-project For an external project and not something we can fix label Jul 20, 2023
@wilkinsona
Copy link
Member

Thanks for following up. This will have to be addressed by the maintainers of okio and okhttp.

@Subrhamanya Subrhamanya mentioned this issue Jul 20, 2023
Closed
julianladisch added a commit to folio-org/folio-spring-support that referenced this issue Sep 22, 2023
@julianladisch
FOLSPRINGB-121: okio-jvm 3.4.0 fixing Denial of Service (DoS) CVE-202…
448281a 
…3-3635

Upgrade okio-jvm from 3.0.0 to 3.4.0 fixing a Denial of Service (DoS) vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2023-3635

A minor version bump is needed for this security fix. Upstream projects don't do
a minor version bump, this must be done by FOLIO. It's compatible.
square/okhttp#7944
square/okhttp#7994
spring-projects/spring-boot#36450
@julianladisch julianladisch mentioned this issue Sep 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
for: external-project For an external project and not something we can fix status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wilkinsona @spring-projects-issues @Subrhamanya