GHSA-wrvw-hg22-4m67
- Source
- https://github.com/advisories/GHSA-wrvw-hg22-4m67
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json
- Aliases
- Published
- 2022-01-07T22:31:44Z
- Modified
- 2023-11-08T04:05:00.773426Z
- Details
-
Summary
A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.
Reporter: OSS-Fuzz
Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected.
Severity
CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.
Proof of Concept
For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.
Remediation and Mitigation
Please update to the latest available versions of the following packages:
- protobuf-java (3.16.1, 3.18.2, 3.19.2)
- protobuf-kotlin (3.18.2, 3.19.2)
- google-protobuf [JRuby gem only] (3.19.2)
- References
-
- https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67
- https://nvd.nist.gov/vuln/detail/CVE-2021-22569
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
- https://cloud.google.com/support/bulletins#gcp-2022-001
- https://github.com/protocolbuffers/protobuf
- https://www.oracle.com/security-alerts/cpuapr2022.html
- http://www.openwall.com/lists/oss-security/2022/01/12/4
- http://www.openwall.com/lists/oss-security/2022/01/12/7
Affected packages
Maven / com.google.protobuf:protobuf-java
Package
- Name
- com.google.protobuf:protobuf-java
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0The exact introduced commit is unknownFixed3.16.1
Affected versions
2.*
2.0.1
2.0.3
2.1.0
2.2.0
2.3.0
2.4.0a
2.4.1
2.5.0
2.6.0
2.6.1
3.*
3.0.0-alpha-2
3.0.0-alpha-3
3.0.0-alpha-3.1
3.0.0-beta-1
3.0.0-beta-2
3.0.0-beta-3
3.0.0-beta-4
3.0.0
3.0.2
3.1.0
3.2.0rc2
3.2.0-rc.1
3.2.0
3.3.0
3.3.1
3.4.0
3.5.0
3.5.1
3.6.0
3.6.1
3.7.0-rc1
3.7.0
3.7.1
3.8.0-rc-1
3.8.0
3.9.0-rc-1
3.9.0
3.9.1
3.9.2
3.10.0-rc-1
3.10.0
3.11.0-rc-1
3.11.0-rc-2
3.11.0
3.11.1
3.11.3
3.11.4
3.12.0-rc-1
3.12.0-rc-2
3.12.0
3.12.1
3.12.2
3.12.4
3.13.0-rc-3
3.13.0
3.14.0-rc-1
3.14.0-rc-2
3.14.0-rc-3
3.14.0
3.15.0-rc-1
3.15.0-rc-2
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.15.5
3.15.6
3.15.7
3.15.8
3.16.0-rc-1
3.16.0-rc-2
3.16.0
RubyGems / google-protobuf
Package
- Name
- google-protobuf
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0The exact introduced commit is unknownFixed3.19.2
Affected versions
3.*
3.0.0.alpha.1.0
3.0.0.alpha.1.1
3.0.0.alpha.2.0
3.0.0.alpha.3
3.0.0.alpha.3.1.pre
3.0.0.alpha.4.0
3.0.0.alpha.5.0.3
3.0.0.alpha.5.0.4
3.0.0.alpha.5.0.5
3.0.0.alpha.5.0.5.1
3.0.0
3.0.2
3.1.0.0.pre
3.1.0
3.2.0
3.2.0.1
3.2.0.2
3.2.1.pre
3.3.0
3.4.0.1
3.4.0.2
3.4.1.1
3.5.0.pre
3.5.0
3.5.1
3.5.1.1
3.5.1.2
3.6.0
3.6.1
3.7.0.rc.2
3.7.0.rc.3
3.7.0
3.7.1
3.8.0.rc.1
3.8.0
3.9.0.rc.1
3.9.0
3.9.1
3.9.2
3.10.0.rc.1
3.10.1
3.11.0.rc.1
3.11.0.rc.2
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.12.0.rc.1
3.12.0.rc.2
3.12.0
3.12.1
3.12.2
3.12.4
3.13.0.rc.3
3.13.0
3.14.0.rc.1
3.14.0.rc.2
3.14.0.rc.3
3.14.0
3.15.0.rc.1
3.15.0.rc.2
3.15.0
3.15.1
3.15.2
3.15.3
3.15.4
3.15.5
3.15.6
3.15.7
3.15.8
3.16.0.rc.1
3.16.0.rc.2
3.16.0
3.17.0.rc.1
3.17.0.rc.2
3.17.0
3.17.1
3.17.2
3.17.3
3.18.0.rc.1
3.18.0.rc.2
3.18.0
3.18.1
3.18.2
3.18.3
3.19.0.rc.1
3.19.0.rc.2
3.19.0
3.19.1
Maven / com.google.protobuf:protobuf-java
Package
- Name
- com.google.protobuf:protobuf-java
Maven / com.google.protobuf:protobuf-java
Package
- Name
- com.google.protobuf:protobuf-java
Maven / com.google.protobuf:protobuf-kotlin
Package
- Name
- com.google.protobuf:protobuf-kotlin