Описание
A potential Denial of Service issue in protobuf-java
Summary
A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.
Reporter: OSS-Fuzz
Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected.
Severity
CVE-2021-22569 High - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.
Proof of Concept
For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.
Remediation and Mitigation
Please update to the latest available versions of the following packages:
- protobuf-java (3.16.1, 3.18.2, 3.19.2)
- protobuf-kotlin (3.18.2, 3.19.2)
- google-protobuf [JRuby gem only] (3.19.2)
Ссылки
- https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67
- https://nvd.nist.gov/vuln/detail/CVE-2021-22569
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
- https://cloud.google.com/support/bulletins#gcp-2022-001
- https://www.oracle.com/security-alerts/cpuapr2022.html
- http://www.openwall.com/lists/oss-security/2022/01/12/4
- http://www.openwall.com/lists/oss-security/2022/01/12/7
Пакеты
com.google.protobuf:protobuf-java
< 3.16.1
3.16.1
google-protobuf
< 3.19.2
3.19.2
com.google.protobuf:protobuf-java
>= 3.18.0, < 3.18.2
3.18.2
com.google.protobuf:protobuf-java
>= 3.19.0, < 3.19.2
3.19.2
com.google.protobuf:protobuf-kotlin
>= 3.18.0, < 3.18.2
3.18.2
com.google.protobuf:protobuf-kotlin
>= 3.19.0, < 3.19.2
3.19.2
Связанные уязвимости
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
An issue in protobuf-java allowed the interleaving of com.google.proto ...