Describe the bug Recently a CVE is reported for okio version <3.4.0 CVE-2023-3635 To resolve this CVE, we wanted to override the okio version to 3.4.0. But spring doesn't support it it seems.

Sample Error that we are getting:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'okHttpClientBuilder' defined in class path resource [org/springframework/cloud/commons/httpclient/HttpClientConfiguration$OkHttpClientConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [okhttp3.OkHttpClient$Builder]: Factory method 'okHttpClientBuilder' threw exception; nested exception is java.lang.NoClassDefFoundError: okio/Buffer

We can see that it's coming from okhttp3 which is pulled by spring. Is it possible to provide support for okio 3.4 (probabbly uplifting okhttp3 to 4.9.11 might support??)

Comment From: wilkinsona

It's hard to tell without a complete stack trace, but it appears that the incompatibility is between OkHttp's okhttp3.OkHttpClient$Builder and okio. As such, it's not clear why you've reported this as a Spring Boot issue. I can also see that you're using Spring Cloud which is a separate project.

Given the above, I think this is really out of Spring Boot's control. 2.7.x uses OkHttp 4.9.x by default and we won't upgrade to a new minor version of OkHttp in a maintenance release of Spring Boot. Assuming that new minors of OkHttp have not broken backwards compatibility, you should be able to override Boot's dependency management to use a version of OkHttp that meets your needs. If you haven't already, please try to do so.

Comment From: wilkinsona

As far as I know, there is no 4.9.11 release. On Maven Central, 4.9.3 is the latest 4.9.x release.

Comment From: Subrhamanya

From here I can see 4.11 https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp-bom

Comment From: Subrhamanya

Let me uplift the okhttp along with okio and reach out to you..

Comment From: wilkinsona

From here I can see 4.11 https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp-bom

Yes, that's 4.11.0 which, going by major.minor.patch, is a new minor version. FWIW, we have already upgrade to 4.11.0 in 3.2.0-M1 (3.2 is our first new minor since its release)

Comment From: Subrhamanya

Confirmed okhttp 4.11 doesn't support okio 3.4.0. I have tested it.

Thanks @wilkinsona for your time. There is an issue raised to okhttp team https://github.com/square/okhttp/issues/7944

Comment From: wilkinsona

Thanks for following up. This will have to be addressed by the maintainers of okio and okhttp.