CVE-2021-0341

[gs-ub]

Regarding CVE-2021-0341 - https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection

Base on NexusIQ reporting, this is a high severity issue with verifyHostName of OkHostnameVerifier.java seems to impact all current version of okhttp v3.x and v4.x. The only okhttp version didn't have this issue in v5.0.0-alpha.2.

Would there be patch release on okhttp v3x. or v4.x to have similar changes as
https://android.googlesource.com/platform/external/okhttp/+/ddc934efe3ed06ce34f3724d41cfbdcd7e7358fc

[yschimke]

This was reported upstream to AOSP/Conscrypt after being fixed in OkHttp

See https://github.com/square/okhttp/pull/6353/files which is in 4.9.1

https://android.googlesource.com/platform/external/okhttp/+/ddc934efe3ed06ce34f3724d41cfbdcd7e7358fc

Possibly we could backport to 3.12.x.

cc @swankjesse

[gs-ub]

@yschimke Are you sure this fix make it into 4.9.1?

Base on this https://github.com/square/okhttp/blob/parent-4.9.1/okhttp/src/main/kotlin/okhttp3/internal/tls/OkHostnameVerifier.kt.

I don't see the below fix in verify() line 40 in 4.9.1.
return if (!host.isAscii()) {

If this fix can be backport to 3.12.x, that will be really great.
cc @swankjesse

[swankjesse]

We discussed this the first time it went around. One problem with this CVE is that it considers this class in isolation. In OkHttp we guard against non-ASCII inputs elsewhere so they never reach this function.

In practice the only way to exploit this is to use this function directly from application code, which is very unlikely.

Regardless my experience has been it's easier to ship patches than to explain why they're unnecessary. So sure, let's do a round of patch releases.

[gs-ub]

@swankjesse Thank you for the detail response this regard.

[yschimke]

4.9.x pick https://github.com/square/okhttp/pull/6741/files

[swankjesse]

This was released with 4.9.2.

[yeikel]

Is this included in 4.10.x?

[yschimke]

Yes.

[yeikel]

I am using 4.10.0-RC1 and it is still being detected as a vulnerability

[yschimke]

You are right, and sorry about that. But critically 4.10 was never released and superseded by OkHttp 5.

Either use 4.9.3 or 5 alphas (but new APIs may change).

[yeikel]

You are right, and sorry about that. But critically 4.10 was never released and superseded by OkHttp 5.

Either use 4.9.3 or 5 alphas (but new APIs may change).

Thank you for explaining. I found this in a dependency, so I'll report it to them

[mjiderhamn]

Did you decide not to backport this to 3.x?

[yschimke]

Correct - those are no longer maintained versions.

[bykes]

4.10 is released and it is still being detected as a vulnerability
https://ossindex.sonatype.org/component/pkg:maven/com.squareup.okhttp3/okhttp@4.10.0
Are you plan to fix it on 4.10.x?

[yschimke]

It's fixed https://github.com/square/okhttp/blob/parent-4.10.0/okhttp/src/main/kotlin/okhttp3/internal/tls/OkHostnameVerifier.kt