Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update OpenShift REST client to fix a critical vulnerability on the transitive dependency com.squareup.okhttp3:okhttp #14641

Closed
abstractj opened this issue Sep 28, 2022 · 2 comments · Fixed by #14642
Closed

Update OpenShift REST client to fix a critical vulnerability on the transitive dependency com.squareup.okhttp3:okhttp #14641

abstractj opened this issue Sep 28, 2022 · 2 comments · Fixed by #14642
Assignees
@abstractj
Labels
area/dependencies kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected
Milestone
20.0.0

Comments

@abstractj
Copy link
Contributor

Overview

com.squareup.okhttp3:okhttp is a HTTP & HTTP/2 client for Android and Java applications and a transitive dependency coming from OpenShift REST Client.

Affected versions of this package are vulnerable to Information Exposure. When there's an illegal character in a header value, an IllegalArgumentException is thrown whose message includes the full header value.

Remediation

Upgrade OpenShift REST Client fixed it on 9.0.5.Final release which can be a breaking change for us.

References
@abstractj abstractj self-assigned this Sep 28, 2022
@abstractj abstractj mentioned this issue Sep 28, 2022
Merged
abstractj added a commit that referenced this issue Oct 6, 2022
@abstractj
Update OpenShift REST client to fix a critical vulnerability on the t…
64256e9 
…ransitive dependency com.squareup.okhttp3:okhttp

Resolves #14641
@abstractj abstractj added this to the 20.0.0 milestone Oct 6, 2022
andre-nascimento6791 pushed a commit to andre-nascimento6791/keycloak-cnd-work that referenced this issue Dec 1, 2022
@abstractj @andre-nascimento6791
Update OpenShift REST client to fix a critical vulnerability on the t…
d992c7b 
…ransitive dependency com.squareup.okhttp3:okhttp

Resolves keycloak#14641
@ahrycej
Copy link

ahrycej commented Dec 19, 2022

I am scanning latest keycloak 20.0.2 with anchore enterprise (grype enginne) and I still find vulnerable okhttp
/opt/keycloak/lib/lib/main/com.squareup.okhttp3.okhttp-3.14.9.jar

it need to be updated to 4.x could you resolve it?

@abstractj
Copy link
Contributor Author

@ahrycej please refer to our nightly builds considering that they contain the latest updates. If the issue persists, please create a new GH issue.

trivy image --ignore-unfixed quay.io/keycloak/keycloak:nightly

We don't keep track of comments on closed issues on GH.

@abstractj abstractj changed the title Update OpenShift REST client to fix a critical vulnerability on the transitive dependency com.squareup.okhttp3:okhttp CVE-2022-24329 Update OpenShift REST client to fix a critical vulnerability on the transitive dependency com.squareup.okhttp3:okhttp Dec 21, 2022
@abstractj abstractj changed the title CVE-2022-24329 Update OpenShift REST client to fix a critical vulnerability on the transitive dependency com.squareup.okhttp3:okhttp Update OpenShift REST client to fix a critical vulnerability on the transitive dependency com.squareup.okhttp3:okhttp Dec 21, 2022
@abstractj abstractj added the kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected label Dec 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abstractj abstractj

Labels
area/dependencies kind/cve Issues identified as CVEs on third-party dependencies, or issues which Keycloak is not affected
Projects
None yet
Milestone
20.0.0
2 participants
@abstractj @ahrycej