New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Okhttp 4.11.0 transitive dependency okio 3.2 needs to be updated to okio 3.4.0 to mitigate CVE #7944
Comments
+1 okhttp 4.11 doesn't support okio 3.4.0. We get errors if we try to override the version. |
What are the errors you get? |
I am using spring and spring pulls it via okhttp3 org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'okHttpClientBuilder' defined in class path resource [org/springframework/cloud/commons/httpclient/HttpClientConfiguration$OkHttpClientConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [okhttp3.OkHttpClient$Builder]: Factory method 'okHttpClientBuilder' threw exception; nested exception is java.lang.NoClassDefFoundError: okio/Buffer |
Specifically okhttp3.OkHttpClient$Builder In file https://github.com/square/okhttp/blob/parent-4.11.0/okhttp/src/main/kotlin/okhttp3/OkHttpClient.kt |
That looks like more like an issue with your build. Can you share the dependency section of your build? |
- com.squareup.okhttp3:okhttp:jar:4.9.11:compile Complete stack trace Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [okhttp3.OkHttpClient$Builder]: Factory method 'okHttpClientBuilder' threw exception; nested exception is java.lang.NoClassDefFoundError: okio/Buffer if I use okhttp 4.9.3 with 2.10 I won't get any errors. Only when I uplift okhttp --> 4.11 and okio --> 3.4 I get this error |
I reached out to spring thinking that spring is not supported. My guess is okhttp is not supported with okio 3.4.0? spring-projects/spring-boot#36450 @yschimke is okhttp 4.11 working with okio 3.4 for you? |
Updating on #7947 But it will bump up to kotlin 1.9.0. I tested a build with these dependencies, and it worked fine.
It looks like you are hitting square/okio#1067, cc @swankjesse So maybe try okio-jvm as a workaround. It's meant to be supported in https://github.com/square/okio/blob/master/build.gradle.kts#L138 |
Closing, as no one should be blocked on this, you can update okio in your own project to mitigate the CVE. If it's still flagging after you bump okio, it's an issue with your build or the CVE scanner. We will release 4.12 soon after fixing another issue, not rushing for this. |
@yschimke It shouldn't flag, however I'm not updating a transitive dependency as okhttp 4.11 hasn't passed any kind of testing with the updated okio library. This particular CVE is not likely to affect me due to the specific nature of the attack, but I'd argue that any potential CVE as serious as a potential DoS should have some sense of immediacy. I'll patiently wait for 4.12. |
The dup #7946 correctly pointing here is closed. I argue this issue here shouldn't be closed until a new 4.x including okio 3.4 is released. |
Hello, any ETA for 4.12 release? Thank you. |
No, not at the moment. If the CVE is hitting you, update okio in your project. |
how soon is soon. any ETA for 4.12 release? |
…3-3635 Upgrade okio-jvm from 3.0.0 to 3.4.0 fixing a Denial of Service (DoS) vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-3635 A minor version bump is needed for this security fix. Upstream projects don't do a minor version bump, this must be done by FOLIO. It's compatible. square/okhttp#7944 square/okhttp#7994 spring-projects/spring-boot#36450
Seems like 4.12 was released last week and it resolves the issue. |
As the title suggests, the 4.11.0 (and presumably earlier) versions of okhttp have a transitive dependency on
com.squareup.okio:okio@3.2.0, which has vulnerability CVE-2023-3635 (as reported by Snyk.io).
Okhttp needs to be updated to depend on okio 3.4.0 or later which fixes this vulnerability.
The text was updated successfully, but these errors were encountered: