Home > database >  okhttp 2.7.5 fixing without going to okhttp3
okhttp 2.7.5 fixing without going to okhttp3

Time:07-19

Got this vulnerability,

okhttp-2.7.5.jar | Reference: CVE-2021-0341 | CVSS Score: 7.5 | Category: CWE-295 | In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069

Can this be fix without going to okhttp3?

My code would be changed with all the okhttp library, all ok except this com.squareup.okhttp.MultipartBuilder to okhttp3.MultipartBody.Builder. Which is going to give me error with,

java.lang.NullPointerException: trustManager.acceptedIssuers must not be null
    at okhttp3.internal.platform.Platform.buildTrustRootIndex(Platform.kt:163)
    at okhttp3.internal.platform.Platform.buildCertificateChainCleaner(Platform.kt:160)
    at okhttp3.OkHttpClient$Builder.sslSocketFactory(OkHttpClient.kt:754)

    org.apache.camel.support.processor.DelegateSyncProcessor.process(DelegateSyncProcessor.java:65)
    at org.apache.camel.processor.errorhandler.RedeliveryErrorHandler$SimpleTask.run(RedeliveryErrorHandler.java:471)
    at org.apache.camel.impl.engine.DefaultReactiveExecutor$Worker.schedule(DefaultReactiveExecutor.java:193)
    at org.apache.camel.impl.engine.DefaultReactiveExecutor.scheduleMain(DefaultReactiveExecutor.java:64)
    at org.apache.camel.processor.Pipeline.process(Pipeline.java:184)
    at org.apache.camel.impl.engine.CamelInternalProcessor.process(CamelInternalProcessor.java:398)
    at org.apache.camel.component.jetty.CamelContinuationServlet.doService(CamelContinuationServlet.java:245)
    at org.apache.camel.http.common.CamelServlet.service(CamelServlet.java:130)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:550)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
    at org.eclipse.jetty.server.Server.handle(Server.java:516)
    at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
    at java.lang.Thread.run(Thread.java:748)

Also I'm limited to java 8.

Thanks.

CodePudding user response:

It's a pretty bogus CVE in that you need to use the HostnameVerifier API directly with untrusted input to exploit. You're probably not doing that; that interface is designed for end users to plug in a custom implementation and will rarely be used by end users directly. (OkHttp sanitizes input before passing it to this API.)

If you confirm you're not using HostnameVerifier directly your vulnerability is mitigated.

But you should upgrade anyway cause OkHttp 2.x is very obsolete.

CodePudding user response:

Vulnerability got fixed with this and I'm using okhttp3,

           TrustManager[] certs = new TrustManager[] { new X509TrustManager() {
                private X509TrustManager standardTrustManager = null;

                @Override
                public X509Certificate[] getAcceptedIssuers() { 
                    return new X509Certificate[]{}; 
                }

                @Override
                public void checkServerTrusted(X509Certificate[] certificates, String authType)
                        throws CertificateException {
                    if ((certificates != null) && (certificates.length == 1)) {
                        certificates[0].checkValidity();
                    } else {
                        standardTrustManager.checkServerTrusted(certificates, authType);
                    }
                }

                @Override
                public void checkClientTrusted(X509Certificate[] certificates, String authType)
                        throws CertificateException {
                    standardTrustManager.checkClientTrusted(certificates, authType);
                }
            } };
        

But got new error,

com.example.HTTPS$HTTPSError: javax.net.ssl.SSLException: java.lang.NullPointerException
    at org.apache.camel.support.processor.DelegateSyncProcessor.process(DelegateSyncProcessor.java:65)
    at org.apache.camel.processor.errorhandler.RedeliveryErrorHandler$SimpleTask.run(RedeliveryErrorHandler.java:471)
    at org.apache.camel.impl.engine.DefaultReactiveExecutor$Worker.schedule(DefaultReactiveExecutor.java:193)
    at org.apache.camel.impl.engine.DefaultReactiveExecutor.scheduleMain(DefaultReactiveExecutor.java:64)
    at org.apache.camel.processor.Pipeline.process(Pipeline.java:184)
    at org.apache.camel.impl.engine.CamelInternalProcessor.process(CamelInternalProcessor.java:398)
    at org.apache.camel.component.jetty.CamelContinuationServlet.doService(CamelContinuationServlet.java:245)
    at org.apache.camel.http.common.CamelServlet.service(CamelServlet.java:130)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
Caused by: javax.net.ssl.SSLException: java.lang.NullPointerException
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1903)
    at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1886)
Caused by: java.lang.NullPointerException
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1091)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
  • Related