Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE in telemetry-http-okhttp dependency #273

Closed
keruitan-wk opened this issue May 11, 2021 · 5 comments · Fixed by #296
Closed

CVE in telemetry-http-okhttp dependency #273

keruitan-wk opened this issue May 11, 2021 · 5 comments · Fixed by #296
Assignees
@jasonjkeller

Comments

@keruitan-wk
Copy link

Hello,
There is a CVE (CVE-2020-29582) in the kotlin-stdlib version 1.3.72 package that is fixed in version 1.4.21. The latest New Relic telemetry-http-okhttp package (0.12.0) still has a dependency on kotlin-stdlib version 1.3.72 based on the mvn dependency:tree output below. Could telemetry-http-okhttp be updated to use version 1.4.21 of the kotlin-stdlib package?

[INFO] \- com.newrelic.telemetry:telemetry-http-okhttp:jar:0.12.0:compile
[INFO] \- com.squareup.okhttp3:okhttp:jar:4.8.0:compile
[INFO] +- com.squareup.okio:okio:jar:2.7.0:compile
[INFO] | \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.3.70:compile
[INFO] \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.3.72:compile
[INFO] \- org.jetbrains:annotations:jar:13.0:compile
@GDownes
Copy link

GDownes commented Dec 8, 2021
edited
Loading

The dependency on kotlin-stdlib comes from the com.squareup.okhttp3:okhttp dependency.
Currently the com.squareup.okhttp3:okhttp dependency is version 4.8.0.

Version 4.8.0 uses Kotlin version 1.3.72
To address the CVE we need to raise the Kotlin version to 1.4.21.
The highest Kotlin version used by a 4.x update of the com.squareup.okhttp3:okhttp dependency is 1.4.10 which would not address the CVE.

The latest alpha version (5.x) of the com.squareup.okhttp3:okhttp dependency uses Kotlin version 1.4.21 which would address the CVE. When the 5.x version is released we should update, hopefully, the major version changes aren't too much.

@meiao meiao mentioned this issue Dec 8, 2021
Closed
@tbradellis
Copy link
Contributor

We checked in on this again. The Okhttp3 project still needs to update to kotlin 1.4.21. Looks like it is planned for version 5, which is still in Alpha.
Unclear why the issue has been closed:
square/okhttp#6219

https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp

@christrotteradhoc
Copy link

There is a newer 4.x version of okhttp3 now that has an updated Kotlin library that resolves the vulnerability:

https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.10.0

Could that be used instead while waiting on 5.x?

@jasonjkeller
Copy link
Contributor

We'll look into getting this updated. Thanks @christrotteradhoc !

@jasonjkeller jasonjkeller mentioned this issue Jul 15, 2022
Merged
@jasonjkeller jasonjkeller self-assigned this Jul 15, 2022
@jasonjkeller
Copy link
Contributor

jasonjkeller commented Jul 15, 2022
edited
Loading

This will be addressed in the telemetry sdk v0.15.0 release as soon as it is out.

jasonjkeller added a commit to newrelic/newrelic-java-agent that referenced this issue Jul 15, 2022
@jasonjkeller
Update to jfr-daemon 1.9.0
e210cf4 
Pulls in the following improvements from the underlying telemetry-sdk:
* Update to telemetry-sdk 0.15.0 to address [CVE-2020-29582](newrelic/newrelic-telemetry-sdk-java#273) with kotlin lib dependencies of okhttp
* Also includes telemetry-sdk 0.14.0 improvement to decrease CPU utilization: [Replace UUID.randomUUID() with a faster implementation](newrelic/newrelic-telemetry-sdk-java#292)
@jasonjkeller jasonjkeller mentioned this issue Jul 15, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jasonjkeller jasonjkeller

Labels
None yet
Projects
Java Engineering Board
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update to okhttp 4.10.0 newrelic/newrelic-telemetry-sdk-java
6 participants
@GDownes @jasonjkeller @tbradellis @keruitan-wk @kford-newrelic @christrotteradhoc