CVE-2023-3635
Denial of service vulnerability in okio (Maven)
What is CVE-2023-3635 About?
This vulnerability in Okio's GzipSource can lead to a denial of service when parsing malformed gzip buffers. An unhandled exception can crash the client application. Exploitation is relatively easy if an attacker can feed a crafted GZIP archive to the vulnerable component.
Affected Software
- com.squareup.okio:okio
- <1.17.6
- >2.0.0-RC1, <3.4.0
- com.squareup.okio:okio-jvm
- >2.0.0-RC1, <3.4.0
Technical Details
The vulnerability exists in the GzipSource component of Okio. Specifically, the component fails to properly handle an exception that may be raised when it attempts to parse a malformed gzip buffer. When presented with a specially crafted, invalid GZIP archive, the parsing logic within GzipSource can encounter an unhandled exception. This unhandled exception then propagates up the call stack, leading to the termination or crash of the client application that is using Okio's GzipSource. This results in a denial of service, as the application becomes unresponsive or unavailable.
What is the Impact of CVE-2023-3635?
Successful exploitation may allow attackers to crash the client application, leading to a denial of service and making the application unavailable to users.
What is the Exploitability of CVE-2023-3635?
Exploitation complexity is low. The main prerequisite is the ability for an attacker to provide a malformed gzip buffer to an application using Okio's GzipSource. No specific authentication or high privilege is required; the vulnerability is triggered by input processing. Access can be remote if the application accepts and processes GZIP archives from untrusted sources (e.g., HTTP requests, file uploads). The risk factor is heightened in applications that handle GZIP compressed data from external or untrusted origins without robust error handling around GzipSource operations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-3635?
Available Upgrade Options
- com.squareup.okio:okio-jvm
- >2.0.0-RC1, <3.4.0 → Upgrade to 3.4.0
- com.squareup.okio:okio
- <1.17.6 → Upgrade to 1.17.6
- com.squareup.okio:okio
- >2.0.0-RC1, <3.4.0 → Upgrade to 3.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-3635
- https://github.com/square/okio/commit/b4fa875dc24950680c386e4b1c593660ce4f7839
- https://github.com/square/okio/blob/master/CHANGELOG.md#version-1176
- https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b
- https://github.com/square/okio/pull/1334
- https://osv.dev/vulnerability/GHSA-w33c-445m-f8w7
- https://github.com/square/okio
- https://github.com/square/okio/pull/1280
- https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/
- https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195
What are Similar Vulnerabilities to CVE-2023-3635?
Similar Vulnerabilities: CVE-2023-34453 , CVE-2023-4316 , CVE-2022-42889 , CVE-2021-42392 , CVE-2020-13778
