Описание
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
A flaw was found in protobuf-java. Google Protocol Buffer (protobuf-java) allows the interleaving of com.google.protobuf.UnknownFieldSet fields. By persuading a victim to open specially-crafted content, a remote attacker could cause a timeout in the ProtobufFuzzer function, resulting in a denial of service.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Will not fix | ||
| Red Hat BPM Suite 6 | protobuf-java | Out of support scope | ||
| Red Hat build of Debezium 1 | protobuf-java | Affected | ||
| Red Hat CodeReady Studio 12 | protobuf-java | Will not fix | ||
| Red Hat Integration Camel K 1 | protobuf-java | Affected | ||
| Red Hat Integration Service Registry | protobuf-java | Affected | ||
| Red Hat JBoss BRMS 5 | protobuf-java | Out of support scope | ||
| Red Hat JBoss BRMS 6 | protobuf-java | Out of support scope | ||
| Red Hat JBoss Data Grid 6 | protobuf-java | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | protobuf-java | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
An issue in protobuf-java allowed the interleaving of com.google.proto ...
A potential Denial of Service issue in protobuf-java
EPSS
5.5 Medium
CVSS3