CVE-2023-3635 Overview
CVE-2023-3635 is a denial of service vulnerability affecting Squareup Okio, a popular I/O library for Java and Kotlin applications. The vulnerability exists in the GzipSource class, which fails to properly handle exceptions raised when parsing malformed GZIP buffers. An attacker can exploit this flaw by crafting a malicious GZIP archive that triggers an unhandled exception, leading to denial of service of the Okio client.
Critical Impact
Applications using Okio's GzipSource class for GZIP decompression are vulnerable to denial of service attacks through specially crafted malformed GZIP archives, potentially disrupting services that process compressed data.
Affected Products
- Squareup Okio (versions prior to the security patch)
- Applications and libraries dependent on vulnerable Okio versions
- Android applications using Okio for GZIP handling
Discovery Timeline
- 2023-07-12 - CVE-2023-3635 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-3635
Vulnerability Analysis
This vulnerability stems from improper input validation when processing GZIP headers in the GzipSource class. The root cause involves two related weaknesses: CWE-195 (Signed to Unsigned Conversion Error) and CWE-681 (Incorrect Conversion between Numeric Types). When parsing the GZIP header's extra field length (xlen), the code incorrectly handles values where the unsigned 16-bit integer exceeds 0x7fff (32,767). This causes a signed short value to be incorrectly interpreted, resulting in an unhandled exception that crashes the application.
The vulnerability is remotely exploitable without requiring authentication or user interaction. The impact is limited to availability, as successful exploitation causes denial of service but does not compromise confidentiality or integrity.
Root Cause
The root cause is a numeric type conversion error in the GZIP header parsing logic. The readShortLe() method returns a signed short value, which when converted directly to a long, preserves the sign bit. For values where the unsigned representation exceeds 0x7fff, this results in a negative number, causing the subsequent require() call to fail with an exception. The fix properly masks the short value with 0xffff to ensure correct unsigned interpretation.
Attack Vector
The attack vector is network-based, requiring an attacker to deliver a malformed GZIP archive to an application using Okio's GzipSource class. This could occur through:
- Uploading a malicious compressed file to a web application
- Sending crafted compressed data through API endpoints
- Man-in-the-middle attacks on unencrypted data streams containing GZIP content
- Supplying malicious compressed archives to applications that process user-provided compressed data
// Security patch from okio/src/jvmMain/kotlin/okio/GzipSource.kt
// Fix a bug where xlen larger than 0x7fff was rejected (#1280)
if (flags.getBit(FEXTRA)) {
source.require(2)
if (fhcrc) updateCrc(source.buffer, 0, 2)
- val xlen = source.buffer.readShortLe().toLong()
+ val xlen = (source.buffer.readShortLe().toInt() and 0xffff).toLong()
source.require(xlen)
if (fhcrc) updateCrc(source.buffer, 0, xlen)
source.skip(xlen)
Source: GitHub Commit
Detection Methods for CVE-2023-3635
Indicators of Compromise
- Application crashes or unhandled exceptions in code paths handling GZIP decompression
- Abnormal error rates in services processing compressed data
- Log entries showing exceptions in GzipSource or related Okio classes
- Sudden service unavailability following receipt of compressed data
Detection Strategies
- Monitor application logs for unhandled exceptions originating from GzipSource class
- Implement dependency scanning to identify vulnerable Okio versions in your software supply chain
- Use software composition analysis (SCA) tools to detect affected library versions
- Set up alerting for unusual patterns of GZIP parsing failures
Monitoring Recommendations
- Configure application performance monitoring (APM) to track exception rates in GZIP processing components
- Enable detailed logging for data decompression operations to capture malformed input attempts
- Implement health checks that can detect service degradation from repeated crashes
- Monitor for unusual network traffic patterns involving compressed data payloads
How to Mitigate CVE-2023-3635
Immediate Actions Required
- Update Squareup Okio to the patched version that includes commit 81bce1a30af244550b0324597720e4799281da7b
- Audit your dependency tree to identify all applications using vulnerable Okio versions
- Implement input validation to reject suspicious GZIP archives before processing
- Consider rate limiting on endpoints that accept compressed data to reduce DoS impact
Patch Information
The vulnerability has been addressed by Square in the Okio library. The fix modifies the GzipSource.kt file to properly handle unsigned 16-bit values in the GZIP extra field length by applying a bitmask (and 0xffff) to convert the signed short to an unsigned representation. The security patch is available in the GitHub commit. Organizations should update to the latest stable release of Okio that includes this fix.
Workarounds
- Implement exception handling around GzipSource usage to gracefully handle parsing failures
- Add pre-validation of GZIP headers before passing to GzipSource for processing
- Deploy web application firewalls (WAF) rules to inspect and filter potentially malicious compressed payloads
- Consider wrapping GzipSource operations in a timeout mechanism to limit crash impact
# Configuration example - Maven dependency update
# Update your pom.xml to use the patched Okio version
# Check https://github.com/square/okio/releases for the latest patched version
# Example: mvn versions:use-latest-releases -Dincludes=com.squareup.okio:okio
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
