Security Fix: Okio CVE-2023-3635 + OkHttp Jar Update by Mariamalmesfer · Pull Request #23796 · prestodb/presto

Mariamalmesfer · 2024-10-09T19:44:49Z

Description

This PR fixes the Okio security vulnerability (CVE-2023-3635) by upgrading from version 1.17.2 to 3.6.0. It also includes an update to the OkHttp jar from 3.9.0 to 4.12.0

Motivation and Context

A flaw was found in Okio’s GzipSource class that doesn’t handle exceptions properly, allowing potential Denial of Service (DoS) attacks with malformed files.

CVE-2023-3635: Details

Impact

Image Scan showed the vulnerability have been removed.
correlation-report-ibm-lh-presto-okie check.csv

Test Plan

Contributor checklist

Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
Documented new properties (with its default value), SQL syntax, functions, or other functionality.
If release notes are required, they follow the release notes guidelines.
Adequate tests were added if applicable.
CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

 == RELEASE NOTES == =
Security Changes
* Upgrade okio to 3.6.0 in response to `CVE-2023-3635 <https://github.com/advisories/GHSA-w33c-445m-f8w7>`_. :pr:`23796`
* Upgrade okhttp to 4.12.0 in response to `CVE-2023-3635 <https://github.com/advisories/GHSA-w33c-445m-f8w7>`_.  :pr:`23796`

linux-foundation-easycla · 2024-10-09T19:44:54Z

The committers listed above are authorized under a signed CLA.

✅ login: Mariamalmesfer / name: Mariam AlMesfer (4bbd3de)

steveburnett · 2024-11-04T15:06:56Z

Thanks for the release note entry! Nit to remove # from the PR number.

 == RELEASE NOTES == =

Security Changes
* Upgrade okio to 3.6.0 :pr:`23796`
* Upgrade okhttp to 4.12.0 :pr:`23796`

presto-client/src/main/java/com/facebook/presto/client/OkHttpUtil.java

presto-client/src/main/java/okhttp/internal/tls/DistinguishedNameParser.java

pom.xml

presto-client/src/main/java/okhttp/internal/tls/DistinguishedNameParser.java

…n 4.12.0 to address CVE-2023-3635.

pom.xml

arhimondr · 2025-01-29T23:50:22Z

presto-native-sidecar-plugin/pom.xml

            <artifactId>okhttp</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.jetbrains</groupId>


What issue does this dependency cause? Is this dependency needed in runtime?

The exclusion prevents a build failure due to scope conflicts. Without it, Maven reports scope issues that lead to build failures. This dependency isn't needed at runtime; it's only required to pass the build checks.

prestodb-ci · 2025-02-03T17:42:17Z

@ethanyzhang imported this issue into IBM GitHub Enterprise

Mariamalmesfer force-pushed the okie-fix branch 2 times, most recently from 1e17bcc to 8bed2f9 Compare October 13, 2024 09:24

Mariamalmesfer marked this pull request as ready for review October 13, 2024 09:34

Mariamalmesfer requested a review from a team as a code owner October 13, 2024 09:34

Mariamalmesfer requested a review from presto-oss October 13, 2024 09:34

Mariamalmesfer force-pushed the okie-fix branch from 8bed2f9 to 4bd3bc1 Compare October 13, 2024 09:41

ZacBlanco self-requested a review October 14, 2024 17:14

Mariamalmesfer force-pushed the okie-fix branch 3 times, most recently from f8715a8 to e3b47f0 Compare October 15, 2024 13:51

Mariamalmesfer marked this pull request as draft October 24, 2024 08:04

Mariamalmesfer force-pushed the okie-fix branch 5 times, most recently from e13efb9 to dab801a Compare November 4, 2024 06:46

Mariamalmesfer force-pushed the okie-fix branch 12 times, most recently from af5b4c3 to ef04384 Compare November 7, 2024 22:14

aaneja reviewed Jan 17, 2025

View reviewed changes

presto-client/src/main/java/com/facebook/presto/client/OkHttpUtil.java Show resolved Hide resolved

aaneja reviewed Jan 17, 2025

View reviewed changes

presto-client/src/main/java/okhttp/internal/tls/DistinguishedNameParser.java Show resolved Hide resolved

ZacBlanco reviewed Jan 17, 2025

View reviewed changes

pom.xml Show resolved Hide resolved

pom.xml Show resolved Hide resolved

Mariamalmesfer force-pushed the okie-fix branch 2 times, most recently from 85bca20 to f3d345d Compare January 21, 2025 09:53

aaneja previously approved these changes Jan 22, 2025

View reviewed changes

ZacBlanco reviewed Jan 22, 2025

View reviewed changes

presto-client/src/main/java/okhttp/internal/tls/DistinguishedNameParser.java Outdated Show resolved Hide resolved

Mariamalmesfer dismissed aaneja’s stale review via 72a9e67 January 22, 2025 09:40

Mariamalmesfer force-pushed the okie-fix branch 2 times, most recently from 72a9e67 to d4aee3e Compare January 22, 2025 10:25

Upgrade Okie to version 3.6.0 (from 1.17.2) and OkHttp jar to versio…

4bbd3de

…n 4.12.0 to address CVE-2023-3635.

Mariamalmesfer force-pushed the okie-fix branch from d4aee3e to 4bbd3de Compare January 22, 2025 12:03

ZacBlanco approved these changes Jan 22, 2025

View reviewed changes

aaneja approved these changes Jan 23, 2025

View reviewed changes

tdcmeehan approved these changes Jan 28, 2025

View reviewed changes

tdcmeehan merged commit 01bdab4 into prestodb:master Jan 28, 2025
52 checks passed

arhimondr reviewed Jan 29, 2025

View reviewed changes

pom.xml Show resolved Hide resolved

arhimondr reviewed Jan 29, 2025

View reviewed changes

This was referenced Mar 10, 2025

Add release notes for 0.292 unix280/presto#5

Closed

Add release notes for 0.292 unix280/presto#6

Closed

prestodb-ci mentioned this pull request Mar 28, 2025

Add release notes for 0.292 #24825

Merged

30 tasks

ethanyzhang added the Security label Apr 3, 2025

prestodb-ci requested review from a team and BryanCutler and removed request for a team and zuyu April 3, 2025 04:09

unidevel mentioned this pull request Apr 25, 2025

Add release notes for 0.292 unix280/presto#23

Closed

30 tasks

This was referenced May 6, 2025

Add release notes for 0.292 unix280/presto#28

Closed

Add release notes for 0.292 unix280/presto#29

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Fix: Okio CVE-2023-3635 + OkHttp Jar Update#23796

Security Fix: Okio CVE-2023-3635 + OkHttp Jar Update#23796
tdcmeehan merged 1 commit intoprestodb:masterfrom
Mariamalmesfer:okie-fix

Mariamalmesfer commented Oct 9, 2024 •

edited

Loading

Uh oh!

linux-foundation-easycla bot commented Oct 9, 2024 •

edited

Loading

Uh oh!

steveburnett commented Nov 4, 2024

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

arhimondr Jan 29, 2025

Uh oh!

Mariamalmesfer Feb 3, 2025

Uh oh!

prestodb-ci commented Feb 3, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Conversation

Mariamalmesfer commented Oct 9, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Motivation and Context

Impact

Test Plan

Contributor checklist

Release Notes

Uh oh!

linux-foundation-easycla bot commented Oct 9, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

steveburnett commented Nov 4, 2024

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

arhimondr Jan 29, 2025

Choose a reason for hiding this comment

Uh oh!

Mariamalmesfer Feb 3, 2025

Choose a reason for hiding this comment

Uh oh!

prestodb-ci commented Feb 3, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Mariamalmesfer commented Oct 9, 2024 •

edited

Loading

linux-foundation-easycla bot commented Oct 9, 2024 •

edited

Loading