Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump okhttp version to 4.12.0 to resolve CVE-2023-3635, CVE-2022-24329 #81

Merged
merged 1 commit into from
Jan 9, 2024
Merged

Bump okhttp version to 4.12.0 to resolve CVE-2023-3635, CVE-2022-24329 #81

merged 1 commit into from
Jan 9, 2024

Conversation

LevBernstein
Copy link
Contributor

@LevBernstein LevBernstein commented Dec 27, 2023
edited
Loading

Description

Upgrade okhttp dependency from 4.10.0 to 4.12.0 in order to resolve vulnerabilities present in transient dependency okio.

CVE-2023-3635: Older versions of okio's GzipSource.kt contain a vulnerability that may allow attackers to execute denial of service attacks. This vulnerability is present in okio versions starting at 2.0.0, patched in 3.4.0. Duo-client currently leverages okhttp version 4.10.10, which includes okio version 3.0.0 as a dependency.

CVE-2022-24329: Older versions of okio and okhttp also include as dependencies kotlin-stdlib-jdk8 version 1.5.31 and kotlin-stdlib-common version 1.5.31, which are vulnerable to improper locking.

Both of these vulnerabilities can be resolved by upgrading okhttp from 4.10.0 to 4.12.0.

Current dependency tree:

|  +- com.squareup.okio:okio-jvm:jar:3.0.0:compile
|  |  +- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.5.31:compile
|  |  |  \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.5.31:compile
|  |  \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.5.31:compile
|  \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.20:compile
|     \- org.jetbrains:annotations:jar:13.0:compile

Dependency tree with patch applied:

|  +- com.squareup.okio:okio:jar:3.6.0:compile
|  |  \- com.squareup.okio:okio-jvm:jar:3.6.0:compile
|  |     \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.9.10:compile
|  \- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.8.21:compile
|     +- org.jetbrains.kotlin:kotlin-stdlib:jar:1.8.21:compile
|     |  \- org.jetbrains:annotations:jar:13.0:compile
|     \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.8.21:compile

Motivation and Context

Patches open vulnerabilities with one minor version increment.

How Has This Been Tested?

Ran mvn test locally. 10 passed, 11 failed:

Failed tests:   testPrintableASCII(com.duosecurity.client.HttpCanonRequestTest): failure - sig_version = 1 expected:<POST[
  testUnicodeFuzzValues(com.duosecurity.client.HttpCanonRequestTest): failure - sig_version = 1 expected:<POST[
  testZeroParams(com.duosecurity.client.HttpCanonRequestTest): failure - sig_version = 1 expected:<POST[
  testSimple(com.duosecurity.client.HttpCanonRequestTest): failure - sig_version = 1 expected:<POST[
  testOneParam(com.duosecurity.client.HttpCanonRequestTest): failure - sig_version = 1 expected:<POST[
  testUnicodeFuzzKeysAndValues(com.duosecurity.client.HttpCanonRequestTest): failure - sig_version = 1 expected:<POST[
  testDuoHeaders(com.duosecurity.client.HttpCanonV5RequestTest): failure - Canonicalization v5 with additional headers expected:<... 2012 17:18:00 -0000[
  testGetZeroParams(com.duosecurity.client.HttpCanonV5RequestTest): failure - Canonicalization v5 with no params for GET expected:<... 2012 17:18:00 -0000[
  testPostZeroParams(com.duosecurity.client.HttpCanonV5RequestTest): failure - Canonicalization v5 with no params for POST expected:<... 2012 17:18:00 -0000[
  testGetWithParams(com.duosecurity.client.HttpCanonV5RequestTest): failure - Canonicalization v5 with params for GET expected:<... 2012 17:18:00 -0000[
  testPostWithParams(com.duosecurity.client.HttpCanonV5RequestTest): failure - Canonicalization v5 with params for POST expected:<... 2012 17:18:00 -0000[

Types of Changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

@AaronAtDuo
Copy link
Contributor

@LevBernstein Thanks for the PR! We definitely want to keep on top of CVEs.

@AaronAtDuo AaronAtDuo merged commit 34cb837 into duosecurity:master Jan 9, 2024
3 checks passed
@LevBernstein
Copy link
Contributor Author

@LevBernstein Thanks for the PR! We definitely want to keep on top of CVEs.

My pleasure! I think it's also time to publish 0.6.1, if that is at all possible; these changes should justify a version increase, I think.

@AaronAtDuo
Copy link
Contributor

@LevBernstein Agreed. I'll get that out pending getting reviews done by my team 🤞

@AaronAtDuo
Copy link
Contributor

@LevBernstein I was delayed by a trip through GPG key expiration, but 0.6.1 is released (https://central.sonatype.com/artifact/com.duosecurity/duo-client?smo=true). Thanks for the help!

@LevBernstein
Copy link
Contributor Author

Excellent, thanks so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AaronAtDuo AaronAtDuo AaronAtDuo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@LevBernstein @AaronAtDuo