GHSA-h4h5-3hr4-j3g2

Source

https://github.com/advisories/GHSA-h4h5-3hr4-j3g2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json

Aliases

CVE-2022-3171

Published

2022-10-04T22:17:15Z

Modified

2024-02-17T05:33:48.377272Z

Details

Summary

A potential Denial of Service issue in protobuf-java core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Reporter: OSS Fuzz

Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.

Severity

CVE-2022-3171 Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)

Remediation and Mitigation

Please update to the latest available versions of the following packages:

protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3) google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)

References

Affected packages

Maven / com.google.protobuf:protobuf-java

Package

Name: com.google.protobuf:protobuf-java

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.21.0-rc-1

Fixed

3.21.7

Affected versions

3.*

3.21.0-rc-1

3.21.0-rc-2

3.21.0

3.21.1

3.21.2

3.21.3

3.21.4

3.21.5

3.21.6

Maven / com.google.protobuf:protobuf-kotlin

Package

Name: com.google.protobuf:protobuf-kotlin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.21.0-rc-1

Fixed

3.21.7

Affected versions

3.*

3.21.0-rc-1

3.21.0-rc-2

3.21.0

3.21.1

3.21.2

3.21.3

3.21.4

3.21.5

3.21.6

RubyGems / google-protobuf

Package

Name: google-protobuf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.21.0.rc.1

Fixed

3.21.7

Affected versions

3.*

3.21.0.rc.1

3.21.0.rc.2

3.21.0

3.21.1

3.21.2

3.21.3

3.21.4

3.21.5

3.21.6

Maven / com.google.protobuf:protobuf-javalite

Package

Name: com.google.protobuf:protobuf-javalite

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.21.0-rc-1

Fixed

3.21.7

Affected versions

3.*

3.21.0-rc-1

3.21.0-rc-2

3.21.0

3.21.1

3.21.2

3.21.3

3.21.4

3.21.5

3.21.6

Maven / com.google.protobuf:protobuf-kotlin-lite

Package

Name: com.google.protobuf:protobuf-kotlin-lite

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.21.0-rc-1

Fixed

3.21.7

Affected versions

3.*

3.21.0-rc-1

3.21.0-rc-2

3.21.0

3.21.1

3.21.2

3.21.3

3.21.4

3.21.5

3.21.6

Maven / com.google.protobuf:protobuf-java

Package

Name: com.google.protobuf:protobuf-java

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.20.0-rc-1

Fixed

3.20.3

Affected versions

3.*

3.20.0-rc-1

3.20.0

3.20.1-rc-1

3.20.1

3.20.2

Maven / com.google.protobuf:protobuf-java

Package

Name: com.google.protobuf:protobuf-java

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.17.0-rc-1

Fixed

3.19.6

Affected versions

3.*

3.17.0-rc-1

3.17.0-rc-2

3.17.0

3.17.1

3.17.2

3.17.3

3.18.0-rc-1

3.18.0-rc-2

3.18.0

3.18.1

3.18.2

3.18.3

3.19.0-rc-1

3.19.0-rc-2

3.19.0

3.19.1

3.19.2

3.19.3

3.19.4

3.19.5

Maven / com.google.protobuf:protobuf-java

Package

Name: com.google.protobuf:protobuf-java

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

3.16.3

Affected versions

2.*

2.0.1

2.0.3

2.1.0

2.2.0

2.3.0

2.4.0a

2.4.1

2.5.0

2.6.0

2.6.1

3.*

3.0.0-alpha-2

3.0.0-alpha-3

3.0.0-alpha-3.1

3.0.0-beta-1

3.0.0-beta-2

3.0.0-beta-3

3.0.0-beta-4

3.0.0

3.0.2

3.1.0

3.2.0rc2

3.2.0-rc.1

3.2.0

3.3.0

3.3.1

3.4.0

3.5.0

3.5.1

3.6.0

3.6.1

3.7.0-rc1

3.7.0

3.7.1

3.8.0-rc-1

3.8.0

3.9.0-rc-1

3.9.0

3.9.1

3.9.2

3.10.0-rc-1

3.10.0

3.11.0-rc-1

3.11.0-rc-2

3.11.0

3.11.1

3.11.3

3.11.4

3.12.0-rc-1

3.12.0-rc-2

3.12.0

3.12.1

3.12.2

3.12.4

3.13.0-rc-3

3.13.0

3.14.0-rc-1

3.14.0-rc-2

3.14.0-rc-3

3.14.0

3.15.0-rc-1

3.15.0-rc-2

3.15.0

3.15.1

3.15.2

3.15.3

3.15.4

3.15.5

3.15.6

3.15.7

3.15.8

3.16.0-rc-1

3.16.0-rc-2

3.16.0

3.16.1

Maven / com.google.protobuf:protobuf-kotlin

Package

Name: com.google.protobuf:protobuf-kotlin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.20.0-rc-1

Fixed

3.20.3

Affected versions

3.*

3.20.0-rc-1

3.20.0

3.20.1-rc-1

3.20.1

3.20.2

Maven / com.google.protobuf:protobuf-kotlin

Package

Name: com.google.protobuf:protobuf-kotlin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.17.0-rc-1

Fixed

3.19.6

Affected versions

3.*

3.17.0-rc-2

3.17.0

3.17.1

3.17.2

3.17.3

3.18.0-rc-1

3.18.0-rc-2

3.18.0

3.18.1

3.18.2

3.18.3

3.19.0-rc-1

3.19.0-rc-2

3.19.0

3.19.1

3.19.2

3.19.3

3.19.4

3.19.5

Maven / com.google.protobuf:protobuf-kotlin

Package

Name: com.google.protobuf:protobuf-kotlin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

3.16.3

RubyGems / google-protobuf

Package

Name: google-protobuf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.20.0.rc.1

Fixed

3.20.3

Affected versions

3.*

3.20.0.rc.1

3.20.0.rc.2

3.20.0

3.20.1.rc.1

3.20.1

3.20.2

RubyGems / google-protobuf

Package

Name: google-protobuf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.17.0.rc.1

Fixed

3.19.6

Affected versions

3.*

3.17.0.rc.1

3.17.0.rc.2

3.17.0

3.17.1

3.17.2

3.17.3

3.18.0.rc.1

3.18.0.rc.2

3.18.0

3.18.1

3.18.2

3.18.3

3.19.0.rc.1

3.19.0.rc.2

3.19.0

3.19.1

3.19.2

3.19.3

3.19.4

3.19.5

RubyGems / google-protobuf

Package

Name: google-protobuf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

3.16.3

Affected versions

3.*

3.0.0.alpha.1.0

3.0.0.alpha.1.1

3.0.0.alpha.2.0

3.0.0.alpha.3

3.0.0.alpha.3.1.pre

3.0.0.alpha.4.0

3.0.0.alpha.5.0.3

3.0.0.alpha.5.0.4

3.0.0.alpha.5.0.5

3.0.0.alpha.5.0.5.1

3.0.0

3.0.2

3.1.0.0.pre

3.1.0

3.2.0

3.2.0.1

3.2.0.2

3.2.1.pre

3.3.0

3.4.0.1

3.4.0.2

3.4.1.1

3.5.0.pre

3.5.0

3.5.1

3.5.1.1

3.5.1.2

3.6.0

3.6.1

3.7.0.rc.2

3.7.0.rc.3

3.7.0

3.7.1

3.8.0.rc.1

3.8.0

3.9.0.rc.1

3.9.0

3.9.1

3.9.2

3.10.0.rc.1

3.10.1

3.11.0.rc.1

3.11.0.rc.2

3.11.0

3.11.1

3.11.2

3.11.3

3.11.4

3.12.0.rc.1

3.12.0.rc.2

3.12.0

3.12.1

3.12.2

3.12.4

3.13.0.rc.3

3.13.0

3.14.0.rc.1

3.14.0.rc.2

3.14.0.rc.3

3.14.0

3.15.0.rc.1

3.15.0.rc.2

3.15.0

3.15.1

3.15.2

3.15.3

3.15.4

3.15.5

3.15.6

3.15.7

3.15.8

3.16.0.rc.1

3.16.0.rc.2

3.16.0

Maven / com.google.protobuf:protobuf-javalite

Package

Name: com.google.protobuf:protobuf-javalite

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.20.0-rc-1

Fixed

3.20.3

Affected versions

3.*

3.20.0-rc-1

3.20.0

3.20.1-rc-1

3.20.1

3.20.2

Maven / com.google.protobuf:protobuf-javalite

Package

Name: com.google.protobuf:protobuf-javalite

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.17.0-rc-1

Fixed

3.19.6

Affected versions

3.*

3.17.0-rc-1

3.17.0-rc-2

3.17.0

3.17.1

3.17.2

3.17.3

3.18.0-rc-1

3.18.0-rc-2

3.18.0

3.18.1

3.18.2

3.18.3

3.19.0-rc-1

3.19.0-rc-2

3.19.0

3.19.1

3.19.2

3.19.3

3.19.4

3.19.5

Maven / com.google.protobuf:protobuf-javalite

Package

Name: com.google.protobuf:protobuf-javalite

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

3.16.3

Affected versions

3.*

3.8.0-rc-1

3.8.0

3.9.0-rc-1

3.9.0

3.9.1

3.9.2

3.10.0-rc-1

3.10.0

3.11.0-rc-1

3.11.0-rc-2

3.11.0

3.11.1

3.11.3

3.11.4

3.12.0-rc-1

3.12.0-rc-2

3.12.0

3.12.1

3.12.2

3.12.4

3.13.0-rc-3

3.13.0

3.14.0-rc-1

3.14.0-rc-2

3.14.0-rc-3

3.14.0

3.15.0-rc-1

3.15.0-rc-2

3.15.0

3.15.1

3.15.2

3.15.3

3.15.4

3.15.5

3.15.6

3.15.7

3.15.8

3.16.0-rc-1

3.16.0-rc-2

3.16.0

3.16.1

Maven / com.google.protobuf:protobuf-kotlin-lite

Package

Name: com.google.protobuf:protobuf-kotlin-lite

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.20.0-rc-1

Fixed

3.20.3

Affected versions

3.*

3.20.0-rc-1

3.20.0

3.20.1-rc-1

3.20.1

3.20.2

Maven / com.google.protobuf:protobuf-kotlin-lite

Package

Name: com.google.protobuf:protobuf-kotlin-lite

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.17.0-rc-1

Fixed

3.19.6

Affected versions

3.*

3.17.0-rc-2

3.17.0

3.17.1

3.17.2

3.17.3

3.18.0-rc-1

3.18.0-rc-2

3.18.0

3.18.1

3.18.2

3.18.3

3.19.0-rc-1

3.19.0-rc-2

3.19.0

3.19.1

3.19.2

3.19.3

3.19.4

3.19.5

Maven / com.google.protobuf:protobuf-kotlin-lite

Package

Name: com.google.protobuf:protobuf-kotlin-lite

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

3.16.3