New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-3635 in dependency okio #273
Comments
Should be addressed by the latest release |
Release https://github.com/splunk/splunk-library-javalogging/releases/tag/1.11.8 is still vulnerable. +- com.splunk.logging:splunk-library-javalogging:jar:1.11.8:compile Force com.squareup.okio:okio to 3.5.0 https://github.com/splunk/splunk-library-javalogging/blob/1.11.8/pom.xml#L232C8-L232C8 will lead to a conflict for the vulnerable package com.squareup.okio:okio-jvm. Excluding com.squareup.okio:okio in com.squareup.okhttp3:okhttp does not work because okhttp depends on okio-jvm (not okio). com.splunk.logging:splunk-library-javalogging->com.squareup.okhttp3:okhttp depends on com.squareup.okio:okio-jvm only, so I would prefer overwriting the version of this subdependency instead of com.squareup.okio:okio. |
@RHackrid I see - let's try to get to the bottom of this. When I scan the repo Because What I want to understand is why It seems like Of course the preferred way to resolve this is to update to a patched version of Thanks again for reaching out and bringing this to our attention. |
Ok, you are right! In our projects, we (and maybe a lot of other users) use Spring Boot. Spring Boot overwrites the version of okhttp, so our system will pick 4.10.0 instead of 4.11.0: https://github.com/spring-projects/spring-boot/blob/v3.1.3/spring-boot-project/spring-boot-dependencies/build.gradle#L1065 That is a really unfortunate situation for all Spring Boot projects, but I think com.splunk.logging:splunk-library-javalogging is doing fine. Spring Boot projects will still have to override okio-jvm by themselves until spring boot releases an updated okhttp.version (spring-projects/spring-boot@2ce6458):
I apologize for the circumstances. |
For spring boot projects I think it is cleaner to override the version the 'spring way'. In Maven add this to your
(remove this property once spring boot uses this, or a higher version). |
CVE-2023-3635
Severity: High
+- com.splunk.logging:splunk-library-javalogging:jar:1.11.7:compile
| +- com.squareup.okhttp3:okhttp:jar:4.9.3:compile
| | - com.squareup.okio:okio:jar:2.8.0:compile
References
https://nvd.nist.gov/vuln/detail/CVE-2023-3635
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3635
Please update okhttp3, so that okio is at least at version 3.4.0.
The text was updated successfully, but these errors were encountered: