Описание
protobuf-java has a potential Denial of Service issue
Summary
A potential Denial of Service issue in protobuf-java core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
Reporter: OSS Fuzz
Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
Severity
CVE-2022-3171 Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
Remediation and Mitigation
Please update to the latest available versions of the following packages:
protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3) protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3) google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
Ссылки
- https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
- https://nvd.nist.gov/vuln/detail/CVE-2022-3171
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771
- https://github.com/protocolbuffers/protobuf/releases/tag/v21.7
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6
- https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP
- https://security.gentoo.org/glsa/202301-09
Пакеты
com.google.protobuf:protobuf-java
>= 3.21.0-rc-1, < 3.21.7
3.21.7
com.google.protobuf:protobuf-kotlin
>= 3.21.0-rc-1, < 3.21.7
3.21.7
google-protobuf
>= 3.21.0.rc.1, < 3.21.7
3.21.7
com.google.protobuf:protobuf-javalite
>= 3.21.0-rc-1, < 3.21.7
3.21.7
com.google.protobuf:protobuf-kotlin-lite
>= 3.21.0-rc-1, < 3.21.7
3.21.7
com.google.protobuf:protobuf-java
>= 3.20.0-rc-1, < 3.20.3
3.20.3
com.google.protobuf:protobuf-java
>= 3.17.0-rc-1, < 3.19.6
3.19.6
com.google.protobuf:protobuf-java
< 3.16.3
3.16.3
com.google.protobuf:protobuf-kotlin
>= 3.20.0-rc-1, < 3.20.3
3.20.3
com.google.protobuf:protobuf-kotlin
>= 3.17.0-rc-1, < 3.19.6
3.19.6
com.google.protobuf:protobuf-kotlin
< 3.16.3
3.16.3
google-protobuf
>= 3.20.0.rc.1, < 3.20.3
3.20.3
google-protobuf
>= 3.17.0.rc.1, < 3.19.6
3.19.6
google-protobuf
< 3.16.3
3.16.3
com.google.protobuf:protobuf-javalite
>= 3.20.0-rc-1, < 3.20.3
3.20.3
com.google.protobuf:protobuf-javalite
>= 3.17.0-rc-1, < 3.19.6
3.19.6
com.google.protobuf:protobuf-javalite
< 3.16.3
3.16.3
com.google.protobuf:protobuf-kotlin-lite
>= 3.20.0-rc-1, < 3.20.3
3.20.3
com.google.protobuf:protobuf-kotlin-lite
>= 3.17.0-rc-1, < 3.19.6
3.19.6
com.google.protobuf:protobuf-kotlin-lite
< 3.16.3
3.16.3
Связанные уязвимости
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
A parsing issue with binary data in protobuf-java core and lite versio ...