search

newrelic / newrelic-telemetry-sdk-java

Java library for sending telemetry data to New Relic
Apache License 2.0
41 stars 37 forks source link

CVE in telemetry-http-okhttp dependency #273

Closed keruitan-wk closed 2 years ago

keruitan-wk commented 3 years ago

Hello, There is a CVE (CVE-2020-29582) in the kotlin-stdlib version 1.3.72 package that is fixed in version 1.4.21. The latest New Relic telemetry-http-okhttp package (0.12.0) still has a dependency on kotlin-stdlib version 1.3.72 based on the mvn dependency:tree output below. Could telemetry-http-okhttp be updated to use version 1.4.21 of the kotlin-stdlib package?

[INFO] \- com.newrelic.telemetry:telemetry-http-okhttp:jar:0.12.0:compile
[INFO] \- com.squareup.okhttp3:okhttp:jar:4.8.0:compile
[INFO] +- com.squareup.okio:okio:jar:2.7.0:compile
[INFO] | \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.3.70:compile
[INFO] \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.3.72:compile
[INFO] \- org.jetbrains:annotations:jar:13.0:compile
GDownes commented 2 years ago

The dependency on kotlin-stdlib comes from the com.squareup.okhttp3:okhttp dependency. Currently the com.squareup.okhttp3:okhttp dependency is version 4.8.0.

Version 4.8.0 uses Kotlin version 1.3.72 To address the CVE we need to raise the Kotlin version to 1.4.21. The highest Kotlin version used by a 4.x update of the com.squareup.okhttp3:okhttp dependency is 1.4.10 which would not address the CVE.

The latest alpha version (5.x) of the com.squareup.okhttp3:okhttp dependency uses Kotlin version 1.4.21 which would address the CVE. When the 5.x version is released we should update, hopefully, the major version changes aren't too much.

tbradellis commented 2 years ago

We checked in on this again. The Okhttp3 project still needs to update to kotlin 1.4.21. Looks like it is planned for version 5, which is still in Alpha.
Unclear why the issue has been closed: https://github.com/square/okhttp/issues/6219

https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp

christrotteradhoc commented 2 years ago

There is a newer 4.x version of okhttp3 now that has an updated Kotlin library that resolves the vulnerability:

https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp/4.10.0

Could that be used instead while waiting on 5.x?

jasonjkeller commented 2 years ago

We'll look into getting this updated. Thanks @christrotteradhoc !

jasonjkeller commented 2 years ago

This will be addressed in the telemetry sdk v0.15.0 release as soon as it is out.