Okhttp 4.11.0 transitive dependency okio 3.2 needs to be updated to okio 3.4.0 to mitigate CVE

[tsollas]

As the title suggests, the 4.11.0 (and presumably earlier) versions of okhttp have a transitive dependency on
com.squareup.okio:okio@3.2.0, which has vulnerability CVE-2023-3635 (as reported by Snyk.io).

Okhttp needs to be updated to depend on okio 3.4.0 or later which fixes this vulnerability.

[Subrhamanya]

+1

okhttp 4.11 doesn't support okio 3.4.0. We get errors if we try to override the version.

[yschimke]

What are the errors you get?

[Subrhamanya]

I am using spring and spring pulls it via okhttp3

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'okHttpClientBuilder' defined in class path resource [org/springframework/cloud/commons/httpclient/HttpClientConfiguration$OkHttpClientConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [okhttp3.OkHttpClient$Builder]: Factory method 'okHttpClientBuilder' threw exception; nested exception is java.lang.NoClassDefFoundError: okio/Buffer

[Subrhamanya]

Specifically

okhttp3.OkHttpClient$Builder

In file https://github.com/square/okhttp/blob/parent-4.11.0/okhttp/src/main/kotlin/okhttp3/OkHttpClient.kt

[yschimke]

That looks like more like an issue with your build. Can you share the dependency section of your build?

[Subrhamanya]

- com.squareup.okhttp3:okhttp:jar:4.9.11:compile
- com.squareup.okio:okio:jar:3.4.0:compile

Complete stack trace

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [okhttp3.OkHttpClient$Builder]: Factory method 'okHttpClientBuilder' threw exception; nested exception is java.lang.NoClassDefFoundError: okio/Buffer
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185) ~[spring-beans-5.3.28.jar!/:5.3.28]
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) ~[spring-beans-5.3.28.jar!/:5.3.28]
... 25 common frames omitted
Caused by: java.lang.NoClassDefFoundError: okio/Buffer
at okhttp3.ResponseBody$Companion.create(ResponseBody.kt:248) ~[okhttp-4.11.0.jar!/:na]
at okhttp3.ResponseBody$Companion.create$default(ResponseBody.kt:247) ~[okhttp-4.11.0.jar!/:na]
at okhttp3.internal.Util.(Util.kt:65) ~[okhttp-4.11.0.jar!/:na]
at okhttp3.internal.concurrent.TaskRunner.(TaskRunner.kt:309) ~[okhttp-4.11.0.jar!/:na]
at okhttp3.ConnectionPool.(ConnectionPool.kt:41) ~[okhttp-4.11.0.jar!/:na]
at okhttp3.ConnectionPool.(ConnectionPool.kt:47) ~[okhttp-4.11.0.jar!/:na]
at okhttp3.OkHttpClient$Builder.(OkHttpClient.kt:471) ~[okhttp-4.11.0.jar!/:na]
at org.springframework.cloud.commons.httpclient.HttpClientConfiguration$OkHttpClientConfiguration.okHttpClientBuilder(HttpClientConfiguration.java:74) ~[spring-cloud-commons-3.1.7.jar!/:3.1.7]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_372]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_372]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_372]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_372]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.3.28.jar!/:5.3.28]
... 26 common frames omitted
Caused by: java.lang.ClassNotFoundException: okio.Buffer
at java.net.URLClassLoader.findClass(URLClassLoader.java:387) ~[na:1.8.0_372]
at java.lang.ClassLoader.loadClass(ClassLoader.java:418) ~[na:1.8.0_372]

if I use okhttp 4.9.3 with 2.10 I won't get any errors. Only when I uplift okhttp --> 4.11 and okio --> 3.4 I get this error

[Subrhamanya]

I reached out to spring thinking that spring is not supported. My guess is okhttp is not supported with okio 3.4.0?

spring-projects/spring-boot#36450

@yschimke is okhttp 4.11 working with okio 3.4 for you?

[yschimke]

Updating on #7947

But it will bump up to kotlin 1.9.0.

I tested a build with these dependencies, and it worked fine.

    implementation("com.squareup.okhttp3:okhttp:4.11.0")
    implementation("com.squareup.okio:okio:3.4.0")

It looks like you are hitting square/okio#1067, cc @swankjesse

So maybe try okio-jvm as a workaround.

It's meant to be supported in https://github.com/square/okio/blob/master/build.gradle.kts#L138
and also showing at https://mvnrepository.com/artifact/com.squareup.okio/okio/3.4.0

[yschimke]

Closing, as no one should be blocked on this, you can update okio in your own project to mitigate the CVE. If it's still flagging after you bump okio, it's an issue with your build or the CVE scanner.

We will release 4.12 soon after fixing another issue, not rushing for this.

[tsollas]

@yschimke It shouldn't flag, however I'm not updating a transitive dependency as okhttp 4.11 hasn't passed any kind of testing with the updated okio library. This particular CVE is not likely to affect me due to the specific nature of the attack, but I'd argue that any potential CVE as serious as a potential DoS should have some sense of immediacy. I'll patiently wait for 4.12.

[marcelstoer]

The dup #7946 correctly pointing here is closed. I argue this issue here shouldn't be closed until a new 4.x including okio 3.4 is released.

[fgrilli]

Closing, as no one should be blocked on this, you can update okio in your own project to mitigate the CVE. If it's still flagging after you bump okio, it's an issue with your build or the CVE scanner.

We will release 4.12 soon after fixing another issue, not rushing for this.

Hello, any ETA for 4.12 release? Thank you.

[yschimke]

No, not at the moment. If the CVE is hitting you, update okio in your project.

[chxiaowu]

how soon is soon. any ETA for 4.12 release?

[Gil-Littman]

Seems like 4.12 was released last week and it resolves the issue.
Thanks!